PSA: Fake Zoom installers being used to distribute malware

DDE_Server

Level 22
Thread author
Verified
Top poster
Well-known
Sep 5, 2017
1,148
Attackers are taking advantage of the increased popularity of the Zoom video conferencing service to distribute installers that are bundled with malware and adware applications.

As people are spending more time indoors and performing physical/social distancing, many have started using Zoom meetings for remote work, exercise classes, and virtual get-togethers.

Knowing this, threat actors have started distributing Zoom client installers bundled with malware such as Coinminers, Remote Access Trojans, and adware bundles.

Today, TrendMicro reports that they have found a Zoom Installer being distributed that will also install a cryptocurrency miner on the victim's computer.

"We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately."

When installed, this malware will attempt to use your GPU and CPU to mine for the Monero cryptocurrency, which will cause your computer to become slower, potentially overheat, and potentially damage the hardware in your computer.

Other Zoom client installers found by BleepingComputer are being distributed with unwanted software bundles or Remote Access Trojans.

For example, the below Zoom Installer is targeting German users with other unwanted "offers" along with the Zoom client.

Zoom installer adware bundle


Another malicious Zoom Installer will install the njRAT Remote Access Trojan, otherwise known as Bladabindi, that will give the attacker full access to the infected victim's computer.

This would allow the attacker to steal your data, take screenshots with your webcam, or execute commands to download and install other malware.

As most of these malware samples, ultimately install the Zoom client, users are not aware that other malicious applications were installed on their computer as well.

To prevent this, always download the Zoom client from the official Zoom download section or when prompted by a Zoom meeting invite on the Zoom.us site.

Downloading from any other location only greatly increases the chance you will become infected.
 

Stopspying

Level 14
Verified
Top poster
Well-known
Jan 21, 2018
624
Attackers are taking advantage of the increased popularity of the Zoom video conferencing service to distribute installers that are bundled with malware and adware applications.

As people are spending more time indoors and performing physical/social distancing, many have started using Zoom meetings for remote work, exercise classes, and virtual get-togethers.

Knowing this, threat actors have started distributing Zoom client installers bundled with malware such as Coinminers, Remote Access Trojans, and adware bundles.

Today, TrendMicro reports that they have found a Zoom Installer being distributed that will also install a cryptocurrency miner on the victim's computer.

"We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately."

When installed, this malware will attempt to use your GPU and CPU to mine for the Monero cryptocurrency, which will cause your computer to become slower, potentially overheat, and potentially damage the hardware in your computer.

Other Zoom client installers found by BleepingComputer are being distributed with unwanted software bundles or Remote Access Trojans.

For example, the below Zoom Installer is targeting German users with other unwanted "offers" along with the Zoom client.

Zoom installer adware bundle


Another malicious Zoom Installer will install the njRAT Remote Access Trojan, otherwise known as Bladabindi, that will give the attacker full access to the infected victim's computer.

This would allow the attacker to steal your data, take screenshots with your webcam, or execute commands to download and install other malware.

As most of these malware samples, ultimately install the Zoom client, users are not aware that other malicious applications were installed on their computer as well.

To prevent this, always download the Zoom client from the official Zoom download section or when prompted by a Zoom meeting invite on the Zoom.us site.

Downloading from any other location only greatly increases the chance you will become infected.
Good to see you posting some bad news about Zoom, I don't want the reputation as the main Zoom basher here!

Last week I was told about a local business startup advisory group organising group chats using Zoom. I know one of the people involved in this program slightly so I emailed him with a lot of the links that I'd posted on MT over the last week with details of the data leaks to Facebook, Google etc etc. Thinking that the businesses would not be very happy if they realised what the potential loss of their business details could be through using Zoom. I have had no reply but I was forwarded another email from this same guy today discussing their next steps to help small businesses, this again uses Zoom as a principal means of communication while we're under Corvid-19 lockdown. He needs someone to go and give him a very serious talking to, at least! There really isn't much hope with securing peoples' data when arrogant idiots continue to promote this pathetic, leaky Zoom system, or similar software and apps. If I get the time I might report him to the data commisioner, but I don't really want to get involved any further, but my conscience tells me I should. Dilemma, dilemma.