Researchers discovered a phishing campaign targeting Zoom users to deliver the IcedID malware.
IcedID is a banking trojan that has capabilities like other financial threats like Gozi, Zeus, and Dridex. The capabilities, include launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.
As per the researchers, threat actors used a phishing website, mimicking the legitimate Zoom website, to deliver the IcedID malware. The landing page on the website contained a download button. Upon clicking on the button, the site delivered a Zoom installer file from the URL: hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe.
The file was a version of the IcedID malware. Upon executing the ZoomInstallerFull.exe executable, the malware drops the binaries ikm.msi and maker.dll binaries in the %temp% folder. The maker.dll is a malicious library used to perform various malicious activities and load the IcedID malware, while ikm.msi is a legitimate installer of the Zoom application.
Once installed, the IcedID malware attempts to connect the C2. If the malware can successfully connect to the C2 server, it can drop an additional malicious payload in the %programdata% directory.
Here, the threat actor utilized a phishing site in this specific campaign to deliver the IcedID payload. Threat actors are constantly adapting their techniques to evade detection by cybersecurity measures.
This research was documented by researchers from cyble
Researchers’ recommendations
- Avoid downloading pirated software from warez/torrent websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on connected devices.
- Use a reputed anti-virus and internet security software package.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
Indicators of Compromise
- 9108e1d22d74bc5397b8886edc4f0a84b8906436a648ef8a86f30cf7e08978dd
- 3c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7
- 2f3dddb9952e0268def85fbe47f253056077894ce6bd966120654324787b83be
- hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe
- Trbiriumpa[.]com
- 143.198.92.88
