IcedID malware campaign targets Zoom users

Cyber researchers warn of a modified Zoom app that was used by threat actors in a phishing campaign to deliver the IcedID Malware.

Cyble researchers recently uncovered a phishing campaign targeting users of the popular video conferencing and online meeting platform Zoom to deliver the IcedID malware.

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but the malicious code implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

The IcedID malware usually spreads malvertising campaigns using weaponized Office documents. However, in the campaign discovered by Cyble, threat actors used a phishing website, mimiking the legitimate Zoom website, to deliver the IcedID malware.

“The TAs behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities.” reads the analysis published by Cyble.

The landing page on the website contained a download button. Upon clicking on the button, the site delivered a Zoom installer file from the URL: hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe. The analysis conducted by the experts revealed that the file was a version of the IcedID malware.

Upon executing the “ZoomInstallerFull.exe” executable, the malware drops the binaries ikm.msi, maker.dll binaries in the in the %temp% folder.

The “maker.dll” is a malicious libraries used to perform various malicious activities and load the IcedID malware, while “ikm.msi” is a legitimate installer of the Zoom application.

Once installed, the IcedID malware attempts to connect the C2. If the malware can successfully connect to the C2 server, it can drop an additional malicious payloads in the %programdata% directory.

“IcedID is a highly advanced, long-lasting malware that has affected users worldwide.” concludes the report. “The threat actor utilized a phishing site in this specific campaign to deliver the IcedID payload. Threat actors are constantly adapting their techniques to evade detection by cybersecurity measures.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.