HomesecurityFalse Zoom installers infect computers with WebMonitor RAT!

False Zoom installers infect computers with WebMonitor RAT!

Because of pandemic Koronoi, many companies around the world have asked their employees to work from home, which has greatly increased the use of applications teleconference. However, cybercriminals they are increasingly taking advantage of the conditions created by the pandemic, targeting such applications. Researchers from Trend Micro they found a new one campaign which uses many popular messaging apps, including Zoom. Specifically, in this new campaign, intruders used fake Zoom installers to infect computers with WebMonitor RAT malware. False Zoom installers start infecting with WebMonitor RAT by downloading the malicious ZoomIntsaller.exe file from malicious sources. When the malicious file is executed, a copy of it is created with the name Zoom.exe and to run Zoom.exe, it opens the notepad.exe process. Once this is done, it connects to the remote server C2 and executes the following commands:

  • Add, delete and modify files and registry information
  • Closing connections
  • Get software and hardware information
  • Download webcam drivers / snapshot
  • Sound recording and key recording
  • Initiation, suspension and termination of procedures and services
  • Screen start / stop
  • Start / stop wireless access point

It also "throws" the Zoom.vbs file into the boot folder to enable auto-run at system boot. The process will end automatically if security tools are running on the computer or if files named Malware, Sample and Sandbox. In addition, malware may collect information about:

  • The battery
  • The computer
  • The desktop screen
  • The memory
  • The configuration of the network adapter
  • The operating system (OS)
  • The processor
  • The video controller

Recently, a new online campaign Phishing attempted to steal them credentials linking employees by falsifying his notifications Microsoft Teams. A new e-phishing campaign at Zoom also took place this month, urging recipients to attend a Zoom meeting where employees are expected to be notified that their contracts will be suspended or terminated. Government criminals continue to exploit the Koronoi pandemic to carry out various attacks, which may include malware, phishing, fraud and misinformation campaigns.

Every accomplishment starts with the decision to try.