Spoofed Zoom Installer Delivers Backdoor and Devil Shadow Botnet
NJCCIC Alert
Original Release Date: 6/2/2020
Summary
Threat actors continue to take advantage of the growing teleworking population by spoofing the popular free video-teleconferencing (VTC) application, Zoom. Researchers discovered two malicious files that pose as Zoom installers: one installs a backdoor after stealing user credentials and the other installs the Devil Shadow botnet capable of downloading various binaries such as keyloggers, screenshot tools, and webcam access executables. After the malicious files are executed, a legitimate version of Zoom is downloaded to avoid user suspicion; however, the download run time is noticeably longer than usual due to the larger file size. Researchers assess that threat actors will continue to capitalize on VTC platforms' popularity to further develop and distribute various malware.
Recommendations
The NJCCIC reminds users to only download applications such as Zoom from official installation distribution channels and marketplaces. Technical details and indicators of compromise (IoCs) can be found in the Trend Micro blog post.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.