New IcedID Campaign Distributes Malware Through Fake Zoom Installer

Summary

On January 5, Cyble Research & Intelligence Labs published its discovery of a phishing campaign targeting users of the Zoom application. In this campaign, threat actors created a convincing webpage, explorezoom[.]com, that resembles an official Zoom domain and distributes IcedID malware. The phishing page encourages users to download a file called ZoomInstallerFull.exe, which is presented as a legitimate Zoom installer. However, this file is a concealed version of the IcedID malware that also downloads the Zoom application to obfuscate the malicious nature of the installer. IcedID, also known as BokBot, is a trojan used to steal banking credentials and is commonly distributed to businesses through phishing emails containing malicious Microsoft Office file attachments. In addition, IcedID may act as a loader, with the ability to download additional malicious files. IcedID is not typically distributed through fake websites, making this phishing campaign an unusual method to spread this malware.

Recommendations

The NJCCIC advises users to only download software from the application’s official website or legitimate vendors and avoid pirated software from unofficial sources, such as Torrent and Warez websites. Additionally, users are urged to avoid opening suspicious links or email attachments without verifying the authenticity of the sender. More information and technical details can be found in the Cyble article.