Medium
Samples of malware infected Zoom installers have been found and analyzed by researchers. The first sample was a sample of the Zapiz malware, which provides backdoor capabilities. The installer contains a number of encrypted files that decrypt into a separate installer file. The malware kills all remote utilities and opens port 5650 to gain remote access. Four registry entries containing configuration settings are also added. The settings notify the C2 that an email has been set up, credentials have been stolen, and the infected machine has been flagged as ready for access. The second sample was the Devil Shadow botnet. The installer contained pyclient.cmd which contains the malicious commands. A self-extracting archive contains a text file that consists of the C2 server address, a URL, a batch file used to gain persistence, and a copy of the Zoom installer. A Visual Basic script file executes the cmd files and another Visual Basic script file runs to gain persistence. All malicious files are dropped with the Zoom installer. The cmd file connects to the host URL and downloads binaries for use in malicious actions. The legitimate Zoom installer is run to prevent suspicion of malicious activity.