LTS Secure Warning: Fake Zoom Installer Being Used to Distribute WebMonitor RAT

Due to the COVID-19 pandemic, employees of many organisations have shifted to remote role, increasing the usage of video conferencing applications. Researchers have identified multiple campaigns that are making use of the current situation to bundle legitimate applications with malicious tools. One such campaign that was recently detected was against the Zoom app.

Technical Details

The infection starts, when the user downloads the malicious installer (ZoomIntsaller.exe) from a malicious source. The installer in this case, is a combination of the actual Zoom installer & the RevCode WebMonitor RAT.

Once the user has downloaded the installer & executes it, a copy of Zoom.exe is dropped. The ZoomInstaller.exe, then opens a “notepad.exe” process to run Zoom.exe. The backdoor then goes ahead to establishes a connection to the URL dabmaster[.]wm01[.]to & starts executing the commands received from the remote malicious user.

Impact

• Log user’s keystrokes.
• Take screenshots of desktops.
• Records sound from microphone.
• Get hardware & software information.
• Launching, suspending & terminating closing services & processes.
• Add, change, & delete files & registry information.

Recommended Actions

• Always download software’s from their official source.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.