Zoom Phishing Site Delivers IcedID Malware, Poses Threat to User Banking Credentials

The image shows a computer with active Zoom call participants, next to an iPad, a phone, and a watch.
Zoom application has been phished to deliver IcedID malware.
Source: Unsplash

Cyber threat actors have created a phishing site impersonating the official Zoom video conferencing application to deliver IcedID malware to installers, according to a report Cyble Research and Intelligence Labs (CRIL) issued. IcedID, also referred to as “BokBot,” is designed to steal user banking credentials and primarily targets businesses. The phishing site impersonates the original Zoom site, leading unsuspecting users to download the IcedID along with the application. 

Threat actors usually deliver IcedID via spam emails. But this time, they used a phishing website to carry the malicious load, breaking away from their known methods. IcedID malware steals login credentials for banking sessions using man-in-the-browser attacks. The attackers use multiple injection methods and frequently update their IcedID operations to evade detection from scanners. 

The IcedID Zoom Phishing Scam: Technical Specifications

The image shows the Zoom phishing site which lets users download the software and malware.
Beware when downloading Zoom. You could be downloading malware along with the application.
Source: CRIL

The download URL for the latest IcedID phishing campaign is explorezoom.com, as opposed to the official Zoom.us. This highlights the importance of always checking domains before downloading anything online. Closely examining domain names or URLs can help reveal whether a download is legitimate. 

Upon download, the Zoom IcedID malware drops two files into the temp folder: ikm.msi and maker.dll. Ikm.msi is a legitimate Zoom file, put there intentionally to lull suspicion. Users downloading from the link may use the application unaware of the threat. The second file, maker.dll, is highly malicious. It’s initiated using rundll32.exe with the “init” parameter. When executed, it uploads the IcedID malware into the memory. 

The IcedID malware is a 64-bit DLL file that uses the following Windows API functions to gather user information and converts the output into numerical data:

  • GetTickCount64()
  • ZwQuerySystemInformation()
  • RtlGetVersion()
  • GetComputerNameExW()
  • GetUserNameW()
  • GetAdaptersInfo()
  • LookupAccountNameW()

Later, in the final stage of malware execution, IcedID assigns an ID to the converted numbers and sends them to the C&C server as a cookie. The malware then deploys more malware strains in the %programdata% directory of the C&C server. 

IcedID Malware IOCs and Recommendations

The image shows a table of IcedID indicators of compromise.
Network admins should know the ins and outs of IcedID malware to stay ahead of the curve.
Source: CRIL

CRIL has listed the indicators of compromise (IOCs), including the malicious link, SHA addresses, domains, and IP addresses. This is useful information for security researchers and network administrators, who can use it to avoid falling prey to the same threats. CRIL has also listed some security recommendations, which are often standardized after a cybercrime event. These include:

  • Enforcing strong passwords and 2FA as much as possible
  • Employing automatic software and patching updates across multiple devices and platforms
  • Using a high-quality malware scanning tool in tandem with antivirus software
  • Holding employee awareness training for suspicious URLs, particularly in email links
  • Blocking known malware-distributing URLs

Out of all the recommendations, companies shouldn’t underestimate the importance of malware detection and antivirus tools. Even if these fail to prevent the initial breach, they reduce the detection time and, thus, limit the cost and severity of an attack. Early detection helps contain the threat within a few hours rather than weeks or months. This has major cost implications for businesses. 

In its report, CRIL has also detailed the methods of attack used in this latest IcedID malware campaign to help network administrators and business owners identify the attack patterns. These include T1071 and T1095 C&C tactics, which relate to application and non-application layer protocols. Execution tactics include T1204 and T1059, which relate to user execution and the command and scripting interpreter. 

Software Impersonations Becoming Increasingly Sophisticated

The image shows a table of attack techniques used in the IcedID Zoom phishing campaign.
Updated attack vectors often pass by undetected.
Source: CRIL

Since the Covid-19 pandemic, cybercriminals have increasingly sought to compromise remote work applications like Zoom. Two reasons that make such applications such prime targets for cybercriminals are their widespread adoption and that they serve as means to access more lucrative businesses outside a highly secured network. 

The issue here isn’t just the scale of these attacks — but that these are becoming increasingly adaptive and versatile with time. Cybercriminals are continually tweaking and adapting their models, leaving researchers a step behind in mapping their attack patterns and developing software that can fend them off. 

Commenting on the threat posed by IcedID, CRIL refers to it as a “highly advanced, long-lasting malware that has affected users worldwide.” Cybercrime groups, including Emotet, TrickBot, and Hancitor, have also deployed IcedID malware. Though it’s usually spread through email phishing, cybercriminals created a phishing site to carry the malware in this instance. This also marks the first time that threat actors have used such tactics for deploying IcedID malware.

Yet, despite their sophistication, such attacks are easy to mitigate. For instance, users only need to practice a little awareness and caution to discern the legitimacy of software applications. Email phishing attacks often contain grammatical errors, typos, and poor English. 

Moreover, some websites intentionally use incorrect URLs, known as typosquatting, to masquerade as the original website it’s impersonating. Hurried employees looking to download applications quickly may overlook these subtle signs and unwittingly invite trouble. 

While commercial and enterprise networks may prevent these downloads automatically, remote employees who can navigate any site may be more at risk from the IcedID variant. Since many businesses nowadays employ large remote staff, this could spell disaster for the safety and integrity of a company’s internal communication and sensitive information.

The Key to Staying Safe from Malware in 2023

The best way to remain safe from malware online is to take a pause before downloading an application from any site, as legitimate as it may seem. Cybercriminals are even exploiting Google Ads to rank their phishing site higher in the SERPs to assume legitimacy and trick users into downloading from malicious links. 

Aside from Zoom, other applications targeted through the MasquerAds campaign include AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Audacity, Teamviewer, Brave, and more. Under such circumstances, a user’s best defense is exercising vigilance online. A momentary pause and a closer look can reveal what even sophisticated software might fail to detect. 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top