The hackers exploit various applications teleconferencing, such as Zoom, to infect them systems of victims with malicious software. Researchers security from Trend Micro have discovered two examples of malware that infect Windows systems and are presented as Zoom installers. Malicious Zoom installers are not distributed through official distribution channels.
False Zoom installers
The first malicious installer is very similar to the official version. Contains encrypted archives that will decrypt the version of malware.
The malware "kills" the current remote utilities during installation, and opens the TCP port 5650 to gain remote access to the infected system.
Furthermore, running an official zoom installer so as not to arouse suspicion.
The second fake Zoom installer is related to Devil Shadow Botnet. The infection starts with the malicious installer, with a file called pyclient.cmd and contains malicious commands.
And in this case, hackers include a copy of the official Zoom installer to deceive victims. The breached app installer develops malicious archives and codes.
Malware sends information to the C&C every 30 seconds when the computer is turned on. More details on fake installers can be found here here.
In another hacking campaign, attackers used fake Zoom installers to infect victims with WebMonitor RAT. The infection begins with taking the malicious file ZoomIntsaller.exe from malicious sources.
Due to the pandemic of coronavirus, many companies around the world have asked them employees them to work from home. This new situation has increased the use of teleconferencing applications, something that has not gone unnoticed by cybercriminals.
However, there are some signs showing us that something is wrong. For example, the above Zoom installers hosted on suspicious sites and not in official app stores, such as the Play Store, the App Store, or the Zoom Download Center. Another sign is that malicious installers install and run the "legal Zoom installer" later than the real program. Malicious versions take longer to execute, after extracting malicious data before the Zoom is executed.