IcedID malware campaign targets Zoom users

Cyber researchers warn of a modified Zoom app that was used by threat actors in a phishing campaign to deliver the IcedID Malware.

Cyble researchers recently uncovered a phishing campaign targeting users of the popular video conferencing and online meeting platform Zoom to deliver the IcedID malware.

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but the malicious code implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

The IcedID malware usually spreads malvertising campaigns using weaponized Office documents. However, in the campaign discovered by Cyble, threat actors used a phishing website, mimiking the legitimate Zoom website, to deliver the IcedID malware.

“The TAs behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities.” reads the analysis published by Cyble.

The landing page on the website contained a download button. Upon clicking on the button, the site delivered a Zoom installer file from the URL: hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe. The analysis conducted by the experts revealed that the file was a version of the IcedID malware.

Upon executing the “ZoomInstallerFull.exe” executable, the malware drops the binaries ikm.msi, maker.dll binaries in the in the %temp% folder.

The “maker.dll” is a malicious libraries used to perform various malicious activities and load the IcedID malware, while “ikm.msi” is a legitimate installer of the Zoom application.

Once installed, the IcedID malware attempts to connect the C2. If the malware can successfully connect to the C2 server, it can drop an additional malicious payloads in the %programdata% directory.

“IcedID is a highly advanced, long-lasting malware that has affected users worldwide.” concludes the report. “The threat actor utilized a phishing site in this specific campaign to deliver the IcedID payload. Threat actors are constantly adapting their techniques to evade detection by cybersecurity measures.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]