The coronavirus pandemic and the resulting closings have resulted in more remote working, which means more people are using video conferencing software like Zoom to communicate with colleagues and friends. But the need to work from home is something that cybercriminals are trying to take advantage of. Researchers at cybersecurity firm TrendMicro have discovered a new cybercrime campaign that attempts to exploit current circumstances to entice remote workers to install RevCode WebMonitor RAT.
The researchers point out that the compromised software does not come from the Zoom download center or any official application store, but that the downloads come from malicious third-party websites. Victims are likely to be lured to downloads infected with malicious links sent in phishing emails and other messages.
Once the file is downloaded, it runs an installer that provides the video conferencing software as well as the WebMonitor remote access tool. Installing the malicious tool on compound Windows systems gives attackers a backdoor that allows them to remotely observe almost all the activities taking place on the machine. This includes keystroke recording, webcam stream recording and taking screenshots, all of which can be used to steal sensitive personal information.
The official Zoom software now works in version 5.0
However, WebMonitor will terminate on its own if run in a virtual environment – a defense method designed to prevent discovery and review by security researchers. RAT has been available on clandestine forums since mid-2017, but this basic tool continues to prove itself.
In this case, the way it is delivered with a version of Zoom is a way to avoid suspicion of the user – if he installed the software and it did not work, he may suspect that something thing is wrong.
The malicious sites offer version 4.6 of Zoom, but the official Zoom software now works in version 5.0, so that the version used in the attack is now obsolete.
Embedding malware in a legitimate software downloader is a common tactic of cybercriminals, and Zoom is far from the only application used, although attackers are increasingly using it due to its increasing popularity. month. The best way to avoid falling victim to this kind of attack is to download only installers from official sources. If you are sent a link to download an application, it is better to go to the official site and download it yourself.