A new malware campaign has been identified distributing trojanized versions of Zoom installers bundled with cryptocurrency mining payloads. Detected as Trojan.Win32.MOOZ.THCCABO, this threat specifically targets remote workers by masquerading as legitimate video conferencing software. While current infection rates remain low, the attack demonstrates how cybercriminals are adapting to pandemic-era work patterns.
Technical Analysis of the Attack Chain
The malware arrives as a modified Zoom installer (version 4.4.0.0) distributed through unofficial sources. Unlike legitimate Zoom packages, these trojanized installers contain additional malicious components including a coinminer payload and persistence mechanisms. The attack begins when users download and execute the compromised installer from third-party sites rather than Zoom’s official domain.
Analysis reveals the package contains multiple files designed to evade detection. The malware replaces the first five bytes of certain files with NULL values to break signature-based detection and uses password-protected archives (JDQJndnqwdnqw2139dn21n3b312idDQDB) to conceal its payloads. Before activating the miner, the malware conducts extensive system reconnaissance through WMI queries to assess the victim environment’s suitability for cryptocurrency mining.
Malware Components and Behavior
The trojanized installer drops several components onto compromised systems. The primary payload, detected as Coinminer.Win64.MOOZ.THCCABO, is hidden within seemingly legitimate files including debug logs and DLLs. The malware establishes persistence through scheduled tasks named “SystemCheck” that execute from the %appdata% directory.
Notably, the malware checks for the presence of security products from vendors including Kaspersky, ESET, and Malwarebytes before proceeding with its mining operations. System information collected through WMI queries is exfiltrated to attacker-controlled servers via HTTP GET requests to domains like hxxps://2no[.]co/1IRnc.
Detection and Mitigation Strategies
Security teams should monitor for several indicators of compromise including specific file hashes and scheduled tasks. The malware creates files in temporary directories and establishes persistence through Windows Task Scheduler. Network traffic to known malicious domains should be blocked at the firewall level.
For remediation, organizations should scan for and remove any scheduled tasks named “SystemCheck” and search for malicious files in temporary directories. PowerShell commands can help identify and remove the persistence mechanism. Endpoint detection solutions should be configured to monitor for WMI-based reconnaissance activities commonly associated with coinminer deployments.
Security Implications for Enterprises
This campaign highlights the ongoing risks of software supply chain attacks, particularly against widely-used collaboration tools. While the current payload focuses on cryptocurrency mining, the same distribution method could deliver more damaging malware. The attack demonstrates how attackers are leveraging legitimate software installers to bypass user suspicion.
Security teams should reinforce policies regarding software downloads and implement application whitelisting where possible. User education remains critical, as the attack relies on victims downloading Zoom from unofficial sources. Monitoring for the specific indicators of compromise can help detect potential infections before significant resource abuse occurs.
