Kurhan - Fotolia
Cyber criminals are exploiting the popularity of the Zoom videoconferencing and collaboration application during the Covid-19 coronavirus pandemic to trick users into downloading a malicious cryptominer to their devices, according to Trend Micro threat researchers Raphael Centeno and Llallum Victoria.
Falling for this particular scam requires a user to have tried to download Zoom from a fraudulent website, instead of from Zoom itself, which is not at fault in this instance.
In this case, the legitimate Zoom installer (Zoom.exe) was bundled with the Win.32.MOOZ.THCCABO trojan, which drops the CoinMiner.Win64.MOOZ.THCCABO cryptomining malware (64.exe), as well as a helper program that checks for security and monitoring tools in an attempt to evade detection.
Cryptominers are a particularly dangerous piece of malware that take over and abuse compute resources on their victims’ machines in order to mine digital currency, such as bitcoin or monero, which are then directly transferred to the cyber criminals’ wallets.
Although they will not necessarily incur losses in the same way as through other strains of malware or ransomware, many victims will notice a phenomenon known as graceful degradation, in which their systems slow down, lag, overheat or crash because of the increased activity.
“The sudden need to transition to a work-from-home setup left enterprises with little time to ramp up security measures to ensure it fits the requirements demanded by remote work,” said Centeno and Victoria in a disclosure blog, which can be read in full on Trend Micro’s website. “It also exposes businesses to possible compromise due to threat actors abusing tools like videoconferencing apps to propagate malware.
“Users are advised to only download installers from applications’ official websites to avoid such compromise. Users should also follow best practices for securing work-from-home setups. A multi-layered protection approach is also recommended to effectively detect and block threats, regardless of where they are in the system.”
Centeno and Victoria said they have been working with Zoom to address and remediate the issue, but Marco Essomba, founder of London-based security services provider BlockAPT, said that because of the distribution method used by CoinMiner, Trend Micro’s latest discovery raised questions not just about how to defend against the myriad security threats surfacing during the pandemic, but over who exactly is responsible for doing so.
“Therefore, everyone needs to take on some responsibility,” said Essomba. “Organisations should implement an extra layer of protection by running an endpoint detection software across all devices.
“This will provide protection against unauthorised malware and other types of malicious programs from executing on employee devices. From the perspective of the individual user, keeping your Zoom software updated with the latest version and patches mitigates against most of these threats.”
Read more about Zoom
- Zoom’s rapid rise to prominence has highlighted a score of security problems with the service. Should CISOs try to steer their organisations away from it, or ban it outright?
- Two Zoom users are accusing the videoconferencing company of sharing data with Facebook without permission. Zoom’s privacy practices have come under increased scrutiny in recent weeks.
- This week’s Risk & Repeat podcast looks at several security issues Zoom faced over the last week, which led to questions about the company’s privacy and security practices.
Earlier this week, following pressure from users, media and the cyber security industry, Zoom rolled out promised new security features, enabling passwords on meetings and turning on its waiting room feature by default.
As of 4 April 2020, all Zoom meetings now have passwords enabled, meaning that if attendees are joining by clicking a meeting link with an embedded password, they will see no change, but those that join by entering a meeting ID will now have to enter a password.
This is intended to stop zoombombing, where uninvited participants who know the meeting ID crash and disrupt meetings. Video instructions on how to locate your meeting password can be found here.
The waiting room feature acts as a virtual staging area to stop people from joining Zoom meetings until the host is ready to admit them. Video instructions on how to use the feature can be found here.