Operation Zoom WebMonitor
A legitimate Zoom installer was discovered downloading the RevCode WebMonitor remote administration tool onto the systems of unsuspecting users. The application was not hosted on Zoom's official download site or on official app stores. The backdoor used during the attack performs a range of commands including modifying, deleting, and adding registry keys and files, and exfiltrating system information. The malware checks for debugging and security tools, virtual environments, and specific files names and terminates execution if any are discovered.