PolySwarmPolySwarmPolySwarmPolySwarm
Go to PolySwarm
Home

Hunting Zoom-Related Malware

This tutorial will focus on how to use PolySwarm to hunt for Windows samples that potentially related to Zoom.

TrendMicro recently published a blog post on some malware exploiting the rise in Zoom popularity.

After review the article, this malware:

  • is a Powershell script,
  • that embeds a 7zip extractor, and
  • 7zip-compressed Tor, coinminer (the actual malware) and (legitimate) Zoom installers

The malware will cause the victim machine to mine cryptocurrency if the infected computer is powerful enough (notably, has a discrete GPU) over Tor.

TrendMicro published a handful of IOCs, including a C2 URL: https://2no.co/1O5aW.

Use Metadata search to find Artifacts that contain this URL:

  • via the CLI: polyswarm search metadata 'strings.urls:*2no.co*1O5aW'
  • via the Python library:
query = 'strings.urls:*2no.co*1O5aW'

results = api.search_by_metadata(query)

for result in results:
    print(f"Artifact Attributes: {result.artifact}")

We get 1 result, which was not part of the IOCs published by TrendMicro, but is clearly a PowerShell script exactly as described in their blog!

Articles in This Section

PolySwarm Customer API v2

An interface to the version 2 PolySwarm customer APIs...

Settings

PolySwarm offers access to Settings...

PolySwarm Customer New Features

List of new features in polyswarm...

Help

2025 © PolySwarm Pte. Ltd.