It was probably only a matter of time before the cyber attackers hit videoconferencing software in 2020. Apps such as Zoom had a bona fide boon this year because of the world health crisis. Researchers discovered a new form of malware that uses remote overlay attacks to hit Brazilian bank account holders who use videoconferencing software.
Videoconferencing Malware Discovered
It was just a perfect scenario for cyber attackers to take advantage of. People are using videoconferencing software, such as Zoom, to visit with friends and family, connect with colleagues, or take in remote learning. Many have never used the software before and are often unsure or getting frustrated as they sign on, leaving them not worried about compromising their security.
IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem announced that they had discovered this malware that attacks users of videoconferencing software. It’s being utilized across Brazil to hit users of online financial software. The malware stays hidden while it compromises systems by using remote overlay techniques and DLL hijacking.
How Vizom Compromises Systems
Phishing campaigns spread Vizom, disguising it as Zoom. Once the malware accesses a Windows computer, it hits the AppData directory to start infecting the system. Using DLL hijacking, it tries to force malicious DLLs to be loaded, using names the attackers believe are on the software directories for the Delphi-based variants.
IBM explained that by hijacking a system’s “inherent logic,” the operating system gets tricked into loading the malware as a child process of a real videoconferencing file. The DLL that is used is Cmmlib.dll, a file found on systems of Zoom users.
“To make sure that the malicious code is executed from ‘Cmmlib.dll,’ the malware’s author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address — the malicious code’s address space,” explained the researchers.
zTscoder.exe is launched via command prompt, then a Remote Access Trojan (RAT), a second payload, is extracted from a remote service. The same hijacking trick is performed on the Vivaldi Internet browser. However, browser shortcuts are tampered with so that no matter which browser a user opens, the malicious Vivaldi/Vizom code will run in the background.
The malware just sits back and waits. It looks for an indication that an online banking service has been accessed. If the title of a web page matches what’s on the target list, operators receive an alert to remotely connect to the user’s PC.
With RAT capabilities already deployed, the cyber attackers take over and overlay content that tricks the user into sending their account credentials for their bank account.
Additionally, Windows API functions are compromised. These include taking over the mouse cursor, keyboard input, and clicks. Screenshots are even initiated through Windows’s print and magnifier functions.
The malware generates HTML files and loads them into Vivaldi while in application mode to create overlays that are convincing to the user. Next, a keylogger is launched. The input is encrypted, then packaged and sent to the attacker’s server.
“The remove overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade, making it the top offender in the region,” explained IBM.
“At the time, Vizom focuses on large Brazilian banks; however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well.”
If this is possible in Brazil and Europe, it seems it would be possible anywhere. It doesn’t mean you have to swear off using Zoom, but it does mean you have to be aware of this practice. Certainly, do not give out your banking credentials, but that’s not anything different for Zoom.
And don’t think that because you’re on a Mac that you’re safe from this. Macs had more malware detections than PCs in 2019. You just always need to be aware.
