Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

01:55 PM

Zoom Installers Used to Spread WebMonitor RAT

Researchers warn the installers are legitimate but don't come from official sources of the Zoom app, including the Apple App Store and Google Play.

This story was updated on 5/4 to include comments from Zoom.

A newly discovered attack campaign is abusing Zoom installers to spread the RevCode WebMonitor RAT and exploit reliance on messaging apps to communicate and work remotely.

Trend Micro researchers who detected the attack say it resembles an early April campaign that leveraged Zoom installers to put a cryptocurrency miner on target devices. The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play. Researchers note Zoom has been updated to version 5.0, which brings security and privacy changes.

An attack starts with someone downloading the malicious ZoomInstaller[.]exe from malicious sources, they explain, using ZoomInstaller[.]exe to refer to a file containing both a nonmalicious Zoom installer and the RevCode WebMonitor RAT. Because the system downloaded a legitimate Zoom application version – in this case, version 4.6 – users won't suspect foul play. However, their systems have been compromised with WebMonitor RAT, which lets attackers control affected devices and spy via keylogging, webcam streaming, or screen captures. 

Many malware variants hide in legitimate applications, researchers say, and Zoom is not the only app used to deliver this kind of threats. In this case, attackers may have repackaged the legitimate installers with the WebMonitor RAT and rereleased them in malicious websites.

A Zoom spokesperson has provided the following statement about these findings: "We appreciate Trend Micro’s efforts to raise awareness regarding scenarios in which cybercriminals download a legitimate copy of Zoom, extract it from our installer and repackage it within a malicious installer that includes dangerous malware. Zoom users should only download Zoom through our legitimate distribution channels, including our website, the Google Play Store and the Apple App Store."

Read more details here.  

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/11/2020 | 2:08:15 PM
Where did they get the Rat from?

The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play.

Since the Zoom rep. posted that we should only download the installer from registered sources, where did they get the download from (was there a mention of the specific location), I was curious because this could have come from a legitimate site or their session could have been intercepted and someone sent information posing as Zoom.

Not sure, please advise.

User Rank: Apprentice
5/10/2020 | 12:32:10 PM
Re: Thanks
i hope so
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...