Updated: Apr 14, 2020
Attackers are attempting to take advantage of Zoom's increasing user base since the COVID-19 outbreak started by registering hundreds of new Zoom-themed domains for malicious purposes. Videoconferencing software company Zoom provides its customers with a cloud-based communication platform that can be used for audio and video conferencing, online meetings, as well as chat and collaboration via mobile, desktop, and telephone systems. The company has seen a drastic increase of new monthly active users since the start of 2020 as millions of employees are now working from home, adding roughly 2.22 million new ones this year alone while only 1.99 million were added through 2019. In total, Zoom now has over 12.9 million monthly active users, with Bernstein Research analysts saying last month that it saw a user growth of about 21% since the end of last year as CNBC reported. Hundreds of new Zoom domains registered since the start of 2020 "During the past few weeks, we have witnessed a major increase in new domain registrations with names including 'Zoom', which is one of the most common video communication platforms used around the world," a Check Point Research report says. This is an expected outcome seeing that threat actors are always trying to exploit the most popular trends and platforms as part of their ongoing attacks, as it was made obvious by the huge increase of coronavirus-themed malicious campaigns spotted lately. "Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week. Out of these registered domains, 4% have been found to contain suspicious characteristics." The researchers also discovered malicious files using a zoom-us-zoom_##########.exe naming scheme which, when executed, will launch an InstallCore installer that will try to install potentially unwanted third-party applications or malicious payloads depending on the attackers' end goals. InstallCore is marked as a potentially unwanted application (PUA) or potentially unwanted program (PUP) by various security solutions and it will, on occasion, disable User Access Control (UAC), add files to be launched on startup, install browser extensions, and mess with browsers' configuration and settings. The InstallCore PUA was also being camouflaged as a Microsoft Teams installer, with the attackers employing the microsoft-teams_V#mu#D_##########.exe naming scheme to hide its malicious usage. Check Point also noticed that other online collaborations platforms like including Google Classroom and Microsoft Teams are also being used by hackers as part of potential attempts to exploit their users. "New phishing websites have been spotted for every leading communication application, including the official classroom.google.com website, which was impersonated by googloclassroom\.com and googieclassroom\.com," the researchers found. Other researchers have seen Zoom users infected with the Neshta file infecting backdoor virus, a malware strain known for collecting information on currently installed apps, running programs, and SMTP email accounts and delivering to its operators. It is not known if these users already had this infection and their Zoom clients were infected after being downloaded or if they downloaded an already infected version from a web site. "When using a known brand name in a website, the intention of the malicious actors is usually to hide among other legitimate websites and lure users by impersonating the original website or a relating service and getting the user's credentials, personal information or payment details," Check Point told BleepingComputer. "Malware infections would usually occur via phishing emails with malicious links or files. The actual malware used can change based on the attackers' capabilities and goals." Zoom privacy and security issues Zoom's online collaboration platform has gone through its own issues as of late, with the developers having to patch a vulnerability in January that could have made it possible for a threat actor to potentially identify and join active and unprotected Zoom meetings. A few days ago, Zoom also announced that it had decided to remove the Facebook SDK (Software Development Kit) from the Zoom iOS application after it was reported by Motherboard that it collected and sent device information to Facebook's servers. "The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space," Zoom said. Last year, Zoom also had to deal with another security vulnerability (1, 2) that allowed hackers to remotely execute code on Macs where the application was uninstalled via a maliciously crafted launch URL. A different security flaw (1, 2, 3) also patched last year would have allowed remote attackers to force Windows, Linux, and macOS users to join video calls with their video cameras forcibly activated.