Posted on 05-21-2020.
Cybercriminals continue to invent new methods to get access to users’ personal information following popular trends in the corporate world. Researchers from Trend Micro have found two new malware files disguised as installers for Zoom, a video communications app that has seen extreme demand from users around the world following the spread of the coronavirus pandemic. With companies being forced to temporarily close their offices and let staff work from home, they have turned to video calls to communicate with their colleagues. Moreover, some people even began organizing weddings, yoga classes, educational courses, and other events on the app.
“Looking into the disassembled functions of the added notification registry, it showed that the strings contained configurations and values used to notify the command and control server that the email has been set up, credentials of the user have been stolen, and flag the infected machine as ready for access,” the analysis further explained.The other file installs the so-called Devil Shadow botnet in devices. The Devil Shadow botnet contains malicious commands. The malware continues running on the system even after the installation and is programmed to take screenshots of the user’s desktop and active windows. Also, it scans the system for any connected webcams. The malware sends stolen data to the command and control server every 30 seconds. The authors of the analysis warn that the malicious files disguised as Zoom installers do not relate to Zoom’s official installation distribution channels, they come from untrusted sources. Additionally, it takes more time for fake versions to run as they extract the malicious components before launching Zoom.