
The coronavirus pandemic and resulting lockdowns have led to a rise in remote working, meaning more people are using video conferencing software like Zoom to communicate with colleagues, as well as socialise with friends.
But the need to work from home is something cyber criminals are attempting to take advantage of and now researchers at cybersecurity company TrendMicro have uncovered a new cyber criminal campaign attempting to exploit the current circumstances to trick remote workers into install RevCode WebMonitor RAT.
The researchers stress that the compromised software doesn’t come from Zoom’s own download centre or any official app stores — rather the downloads come from malicious third-party websites. It’s likely that victims are drawn towards the infected downloads by malicious links sent in phishing emails and other messages.
Once the file is downloaded, it runs an installer which delivers the video conferencing software as well as executing the WebMonitor remote access tool.
SEE: Coronavirus: Effective strategies and tools for remote work during a pandemic
The installation of the malicious tool on comprised Windows systems gives attackers a backdoor which allows remote observation of almost any activity which takes place on the machine. That includes keylogging, recording web cam streams and taking screenshots, all things which can be used to steal sensitive personal information.
However, WebMonitor will terminate itself if executed in a virtual environment – a method of defence in an effort to prevent discovery and examination by security researchers. The RAT has been available on underground forums since mid-2017, but the commodity tool is still proving to be successful.
In this case, the way in which it’s bundled with a version of Zoom is a means of avoiding suspicious from the user – if they installed the software and it didn’t work, they might suspect something was wrong.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
But there’s still a tell tale sign that there could be something suspect about the download – the malicious sites push Zoom version 4.6, but now the official Zoom software is running version 5.0, so the version used in the attack is now out of date.
Packaging malware inside a downloader for legitimate software is a regular tactic for cyber criminals and Zoom is far from the only application that has been used – but attackers are increasingly turning to it because of how popular it has become in recent months.
The best way users can avoid falling victim to this kind of attack is by only downloading installers from official sources – and if you’re sent a link to download an app, it’s best to visit the official website and download it yourself.
READ MORE ON CYBERSECURITY
 
 
