Recording meetings by zoom malware

Recording meetings by zoom malware

mci-pages-sharing

Over the past few weeks, Morphisec Labs researchers identified a flaw in the Zoom application that can enable threat actors to voluntarily record Zoom sessions and capture chat text without any of the meeting participants’ knowledge. The Zoom malware is even able to do this when the host has disabled recording functionality for participants.

The malware simulation shows an attack that takes place during a Zoom session between a victim and the attacker. Both are using the latest version of Zoom with all of its security features turned on and antivirus software installed and running. The victim host in the video disables recording for participants; the attacker leverages a weakness in the Zoom application to record the session, despite the fact that she doesn’t have recording privileges. She is also to record the session without the host’s knowledge.

Here’s how:
  • Victim sends his meeting invite over to Sally.
  • Attacker accepts the invite and joins the Zoom session with Michael.
  • Victim sends a chat illustrating that messages can be sent/received, and now attacker can reply.
  • Attacker asks Michael access to record the session. However, he denies this request by disabling recording privileges for attendees as he is about to share confidential information.
  • However, here, attacker launches malicious code that triggers the session recording. On her screen, she’s able to view that the session is indeed being recorded. But on victim’s host screen, there’s no indication that the session is being recorded.
  • After the session ends, the malware manipulates Zoom so that the unauthorized recording of the session can be delivered to attacker in a location that she chose. She now has access to a full decrypted session, including the chat that supposedly wasn’t recorded and all videos that were shared. If webcams had been used, she would have those videos, too.

Morphisec have alerted Zoom to this current security weakness and how it can be targeted by malicious actors.