Spoofed Zoom Installer Delivers Backdoor and Devil Shadow Botnet NJCCIC Alert

800.618.BANK (2265)

Spoofed Zoom Installer Delivers Backdoor and Devil Shadow Botnet NJCCIC Alert

_{NJCCIC Alert Original Release Date: 6/2/2020}

Threat actors continue to take advantage of the growing teleworking population by spoofing the popular free video-teleconferencing (VTC) application, Zoom. Researchers discovered two malicious files that pose as Zoom installers: one installs a backdoor after stealing user credentials and the other installs the Devil Shadow botnet capable of downloading various binaries such as keyloggers, screenshot tools, and webcam access executables. After the malicious files are executed, a legitimate version of Zoom is downloaded to avoid user suspicion; however, the download run time is noticeably longer than usual due to the larger file size. Researchers assess that threat actors will continue to capitalize on VTC platforms' popularity to further develop and distribute various malware.

Recommendations
The NJCCIC reminds users to only download applications such as Zoom from official installation distribution channels and marketplaces. Technical details and indicators of compromise (IoCs) can be found in the Trend Micro blog post.