Bogus Zoom Installers Infecting Users With WebMonitor RAT

With the current COVID-19 pandemic, the use of the Zoom app has skyrocketed, as more and more people use it to work and study from home. The heightened interest in the product has, however, attracted many threat actors, who seek to exploit vulnerabilities in the Zoom app for their gain.

One of the more recent campaigns that involved legitimate Zoom installers happened at the end of April. Resembling an early April campaign that used Zoom installers to push a cryptocurrency miner, the latest campaign pushes RevCode's WebMonitor remote access Trojan (RAT).

It's important to note that the bogus installers do not come from official sources like Zoom's website, Apple's App Store, or Google's Play Store. Security researchers suspect that the malicious Zoom installers come from third party websites and email spam campaigns. They install version 4.6 of the Zoom app, while version 5.0 has already come out, addressing previous security issues.

But the outdated version isn't the real problem here, as the app is legitimate. The hackers just downloaded it, extracted it, and bundled it in their installer alongside the WebMonitor RAT, which can silently infect victim's systems, granting the attackers access to valuable information.

The WebMonitor RAT

The WebMonitor RAT story is interesting in and of itself. It was developed as a commercial product by a Swedish company called RevCode, claiming it to be a legitimate security testing solution. Meanwhile, it's widely available for sale on a number of Dark Web forums, marketed as malware, with a price tag ranging from €14.99 to €29.99.

What's interesting to note here is that records from Ratsit AB, a Swedish credit information service, indicate that RevCode is owned by Alex Yücel, a 30-year-old Swedish resident. In 2015, a 25-year-old Swedish resident named as Alex Yucel was sentenced by a U.S. court to 57 months in prison, after pleading guilty to charges for the distribution of the Blackshades RAT. Prison records, however, indicate that he was released in November 2016. RevCode was officially registered as a Swedish company in 2018, with sales of the WebMonitor RAT on hacker forums commencing as early as mid-2017.

A quick look at WebMonitor's features can give us an idea as to why it has been classified as malware by most antivirus companies. First of all, WebMonitor has an option that can be used to suppress any notification boxes that might show up when it's being installed on a computer. RevCode's company website touts the software's compatibility with all ''crypters'', a type of software that is used by malware operators to avoid detection from antivirus programs.

Once installed on a computer, the WebMonitor RAT can begin spying on the victim by retrieving saved passwords, keylogging, screen capturing, and webcam streaming to a remote location. The WebMonitor RAT can also be used to alter registry data, obtain software and hardware information, start and suspend processes and services, and enable automatic execution of the malware upon system startup.

Staying Safe

The current COVID-19 pandemic has meant that a lot of people have had to start working with software that they might not have been familiar with. One essential piece of advice is to always use trusted, official channels when downloading software such as video conferencing, or remote desktop apps. Keeping all your programs up to date can also help patch known vulnerabilities that attackers can exploit.

As always, it is recommended that you have legitimate antivirus software installed on your system.