Tuesday, July 7, 00:17
Home security False Zoom Installers install backdoors on Windows systems

False Zoom Installers install backdoors on Windows systems

Zoom Installers

The hackers exploit various applications teleconferencing, such as Zoom, to infect them systems of victims with malicious software. Researchers security from Trend Micro have discovered two examples of malware that infect Windows systems and are presented as Zoom installers. Malicious Zoom installers are not distributed through official distribution channels.

False Zoom installers

One of these fake Zoom installers installs one backdoor which allows attackers to acquire remote access in Windows computer of the victim. The second is the Devil Shadow botnet.

The first malicious installer is very similar to the official version. Contains encrypted archives that will decrypt the version of malware.

The malware "kills" the current remote utilities during installation, and opens the TCP port 5650 to gain remote access to the infected system.


Furthermore, running an official zoom installer so as not to arouse suspicion.

The second fake Zoom installer is related to Devil Shadow Botnet. The infection starts with the malicious installer, with a file called pyclient.cmd and contains malicious commands.

And in this case, hackers include a copy of the official Zoom installer to deceive victims. The breached app installer develops malicious archives and codes.

Malware sends information to the C&C every 30 seconds when the computer is turned on. More details on fake installers can be found here here.

In another hacking campaign, attackers used fake Zoom installers to infect victims with WebMonitor RAT. The infection begins with taking the malicious file ZoomIntsaller.exe from malicious sources.

Due to the pandemic of coronavirus, many companies around the world have asked them employees them to work from home. This new situation has increased the use of teleconferencing applications, something that has not gone unnoticed by cybercriminals.

However, there are some signs showing us that something is wrong. For example, the above Zoom installers hosted on suspicious sites and not in official app stores, such as the Play Store, the App Store, or the Zoom Download Center. Another sign is that malicious installers install and run the "legal Zoom installer" later than the real program. Malicious versions take longer to execute, after extracting malicious data before the Zoom is executed.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!


Windows 10 2004: Unauthorized settings "block" the upgrade

Users report that they have a problem with Windows 10, since they are excluded from the application of the May 2020 update, when they manually attempt to ...

Lenovo is improving Linux ThinkPads but the problems remain

Last month, when Lenovo announced that it was going to certify the ThinkPad series for use with Linux operating systems, we thought directly ...

Nigerian accused of fraud against US companies

A Nigerian was taken to the federal court in Chicago on Friday, after being accused of coordinating an international cyber fraud system, which affected ...

Home routers display critical errors and run unpatched Linux

The German Fraunhofer Communication Institute (FKIE) conducted a survey that included 127 home routers from seven different brands, in an effort to ...

IPhone 12 release: Will we finally see it by the end of 2021?

New data on the release of the iPhone 12, which we all expect not to happen in September, say that it will only be delayed ...

MySQL: Replaces terms that reinforce racial discrimination

MySQL database developers have announced that they will be replacing terminology such as master, slave, blacklist, and whitelist.

The CEO of a cryptocurrency investment company was cheating

As reported by News24, Willie Breedt, the founder of VaultAge Solutions (cryptocurrency investment company), declared bankruptcy last week and the ...

United Kingdom: Will it exclude Huawei from its 5G networks?

The UK government has received an NCSC report on Huawei, which may change its policy ...

A Yahoo engineer is not in jail after hacking 6.000 accounts

A former Yahoo engineer has been sentenced to five years in prison for hacking into personal accounts ...

PoC exploits released for critical vulnerability on F5 BIG-IP devices

PoC exploits released for critical vulnerability on F5 BIG-IP devices Two days after the release of updates on critical vulnerability on F5 ...