Researchers at Cyble Research & Intelligence Labs (CRIL) found new instances of a malware campaign targeting Zoom users. The TA uses a modified version of the Zoom app to deploy a phishing attack to deliver the IcedID malware.
Modded Zoom app, high on IcedID malware
In this instance, hackers found a way to inject the malware into the app and use it for their malicious campaigns. The cybercriminals behind the attack use the IcedID malware, also known as BokBot. The trojan is popular in the underground markets and can steal victims’ banking credentials.
According to researchers, the trojan was designed to steal financial information from organizations and can be used as a loader to deploy other malware onto the victim’s devices.
IcedID is malware primarily used to steal financial information from its victims. It is typically distributed through phishing campaigns, in which victims are tricked into downloading and installing the malware onto their devices by clicking on a malicious link or attachment. Once installed, IcedID can harvest login credentials and other sensitive information, such as credit card numbers and bank account details. It can also download and install malicious software onto the infected device, giving attackers further access and control over the system.
In this case, the hackers used a phishing website to spread the IcedID malware. The attackers created a phishing page that looks like a legitimate Zoom website to deceive users into downloading the IcedID malware.
The campaign runs through a phishing website that provokes the user to click on a download button — downloading the modded Zoom application. Once the user downloads and installs the application, they’ll be at risk because it has been masked as Zoom, while IcedID is the main component of the app.
IcedID is a sophisticated, long-lasting malware that has infected victims worldwide. It’s regularly disseminated as a secondary payload by well-known threats like Emotet, TrickBot, and Hancitor. The malware follows the direction of spam emails and uses Office files and documents to spread into the victim’s system.
In the campaign found by CRIL, the threat actor delivered the IcedID payload via a phishing site. It evaded detection using sophisticated techniques that hindered security protocols on the victim’s devices.