Cyble researchers recently uncovered a phishing campaign targeting users of the popular video conferencing and online meeting platform Zoom to deliver the IcedID malware.
IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but the malicious code implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.
The IcedID malware usually spreads malvertising campaigns using weaponized Office documents. However, in the campaign discovered by Cyble, threat actors used a phishing website, mimiking the legitimate Zoom website, to deliver the IcedID malware.
“The TAs behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities.” reads the analysis published by Cyble.
The landing page on the website contained a download button. Upon clicking on the button, the site delivered a Zoom installer file from the URL: hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe. The analysis conducted by the experts revealed that the file was a version of the IcedID malware.
Upon executing the “ZoomInstallerFull.exe” executable, the malware drops the binaries ikm.msi, maker.dll binaries in the in the %temp% folder.
The “maker.dll” is a malicious libraries used to perform various malicious activities and load the IcedID malware, while “ikm.msi” is a legitimate installer of the Zoom application.
Once installed, the IcedID malware attempts to connect the C2. If the malware can successfully connect to the C2 server, it can drop an additional malicious payloads in the %programdata% directory.
“IcedID is a highly advanced, long-lasting malware that has affected users worldwide.” concludes the report. “The threat actor utilized a phishing site in this specific campaign to deliver the IcedID payload. Threat actors are constantly adapting their techniques to evade detection by cybersecurity measures.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks'…
Cisco Talos warns of large-scale brute-force attacks against a variety of targets, including VPN services,…
This website uses cookies.