Cybercriminals continue to use the ongoing COVID-19 pandemic and the popularity of the conferencing app Zoom to expand their criminal operations. Cybersecurity company TrendMicro reports that a new malware campaign exploits these dire times to install RevCode WebMonitor RAT.
The remote access trojan known as RevCode WebMonitor RAT is being actively spread via fake Zoom installers. The cybercriminals use phishing emails and social media messages to redirect unsuspecting users to bogus websites that offer malicious downloads.
Once installed, the RAT will open a backdoor to the compromised computer, allowing the malware operators to execute almost any activity on the device, including corrupting data, taking screenshots, recording videos with the web camera, etc..
Researches point out that the malicious downloader is not spread through the official Zoom website nor legitimate app stores. Instead, the malware operators rely on third-party web pages and social engineering tricks to lure the user into infecting their device.
What is RevCode WebMonitor RAT?
WebMonitor is a software application, developed by the Sweden-based company RaveCode. The app is advertised as a remote access tool, suitable for business management. The software supports Windows versions from XP and above; and is designed to eliminate the need for port-forwarding, as well as to control bot-PCs from a commanding PC, a mobile phone, or a tablet. Additionally, the remote administration can be launched from a web browser.
Leading cybersecurity companies have criticized the app developers for creating software that is orientated toward malware actors rather than legitimate businesses. TrendMicro points out that the app has been available on hacking forums since mid-2017 and was utilized in a multitude of malware campaigns.
The latest RevCode WebMonitor RAT campaign uses fake Zoom downloads to trick the unsuspecting users into installing malware. Once on the computer, the malicious payload will install the remote access tool, as well as an old version (v4.6) of the conferencing app Zoom. The installation of Zoom is a smokescreen, intended to dupe the user so that they won't become suspicious.
Of course, the outdated version of the app is a major red flag. However, most users, being pushed by tight deadlines and the urgent need to continue their work from home environment, rush the installation and ignore the notifications that updates are available, allowing the malware to remain undetected and run in the background.
Once executed, the payload will create a copy of itself named Zoom.exe and will then run this file through a notepad.exe process. As a result, a backdoor will connect to the dabmaster[.]wm01[.]to URL and will execute commands sent from a remote user. TrendMicro discovered that the connection allows the malware operator to execute the following operations:
- start, suspends, and terminate services and processes;
- start/stop screen stream;
- start/stop Wireless Access Point;
- add, delete and modify files and registry entries;
- close connections;
- obtain software and hardware details;
- control the web camera (record videos, take pictures);
- record audio;
- record keystrokes.
To establish persistence, the RAT will drop a file named Zoom.vbs into the Windows User Startup. Although this operation enables automatic execution at every system startup folder, these processes will not execute if the malware detects a connection to the following debugging and security tools:
RevCode WebMonitor RAT is also designed to terminate itself if it's executed in any of the following virtual environments:
- Kernel-based Virtual Machine
- Microsoft Hypervisor
- Parallels Hypervisor
Avoiding being run in a virtual environment is a rather common anti-forensic method nowadays. The threat actors employ various tricks to hinder potential malware analysis and to run their malware operations for as long as possible.
The RevCode WebMonitor RAT's operators went even further in their attempts to camouflage the malware. They programmed the RAT to terminate itself if it detects a file name similar or related to "Malware," "Sample," and "Sandbox."
Once successfully installed, the malware will send the following details via HTTP POST to the hxxps://126.96.36.199/recv7[.]php URL:
- Battery Information
- Computer Information
- Desktop Monitor Information
- Memory Information
- Network Adapter Configuration
- OS Information
- Processor Information
- Video Controller Information
What To Do if Infected with WebMonitor RAT?
The cybercrime flourishes in this new and unprecedented situation because we are rushed to finish our tasks quickly. As we don’t have the time to think about the potential risks, malware often slips into our computers undetected and starts wreaking havoc. So, what do we do when the unfortunate happens?
Your best course of action is to use a professional anti-malware tool that is destined to deal with threats without damaging the operating system. As a bonus, if you are happy with the app, you can choose to keep it, allowing it to create an additional layer of protection, which will prevent future malware infections.
Of course, there are online tutorials that you can follow to remove the malicious program. However, such actions, performed by someone who is not a techie, could have negative consequences, such as data loss. Consider your options and choose what is best for you.