Researchers at TrendMicro have discovered a campaign leveraging fake Zoom downloaders to distribute RevCode Webmonitor RAT. Victims are tricked into downloading the malware through phishing emails—the RAT doesn’t originate from downloads found on Zoom’s website or any of the app stores. Because the installer also delivers Zoom, victims may not realize that their computers are infected or that something is amiss.
If an employee mistakenly uses the malicious Zoom installer and compromises their workstation with the RevCode RAT, it is important for the company’s security team or service provider to detect that and quickly contain the damage that can result from the RAT capturing keystrokes, screenshots, and files from the infected systems. Indications of compromise may include a malicious Visual Basic script named “Zoom.vbs” saved in the user’s startup folder, as well as network connections to the domain name dabmaster[.]wm01[.]to and the IP address 213.188.152[.]96. Using Endpoint Detection and Response (EDR) tools gives security teams the visibility needed to quickly detect threats to workstations and servers, especially if they evade detection by anti-virus. The malicious downloader comes from sites that are not affiliated with Zoom, so Binary Defense recommends only downloading Zoom and other video conferencing software from the official site or app stores. The Zoom version installed by the malicious Zoom installer is version 4.6, however, the most up-to-date version is 5.0. Checking whether the version installed matches the expected version can help identify if an installation is malicious or not.