Beware of Modified Zoom App that Delivers Banking Malware IcedID Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A malicious IcedID malware campaign was identified recently by Cyble researchers through which threat actors are actively spreading malware using modified versions of the Zoom application that have been trojanized.

Due to the growing awareness of the COVID-19 pandemic in recent years, Zoom has become increasingly popular in recent years. A dramatic increase in remote work has been observed since the COVID-19 pandemic emerged, and virtual communication tools have become increasingly important.

While the majority of malware is delivered to users’ machines by threat actors using these types of software tools as a means of delivering malware.

IcedID Banking Malware Via Zoom App

A large number of businesses are being targeted by this campaign in an attempt to steal sensitive information as well as dump additional malware onto the computers of the victims. 

In addition to its capacity to act as a loader, IcedID can also download additional modules from the internet or deliver other malware families as well.

Most commonly, IcedID spreads through spam email attachments attached to malicious Office files. In this campaign, the attackers tried something different, as they used a phishing website to deliver the IcedID payload to the victim. 

This mechanism or procedure is an unusual way of delivering the IcedID payload to a victim, as IcedID itself is not typically distributed this way.

Technical Analysis

A phishing website with a download button was created by the attackers in order to lure people to click on it. It prompted users to download a Zoom installer file from the following URL when they clicked on the Zoom button:-

  • hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe
Modified Zoom App

There are two binaries that are dropped in the %temp% folder as a result of executing the “ZoomInstallerFull.exe” file, and here below we have mentioned them:-

ikm[.]msi: It’s a legitimate installer, and it installs the Zoom app on the user’s system.

maker[.]dll: This file carries out various malicious activities

Zoom software malware

Now with the “init” parameter the execution of the “maker.dll” file is done at this point by the “ZoomInstallerFull.exe” with the help of rundll32.exe.

The program also runs an installer of the Zoom application, called “ikm.msi”, so as to avoid suspicion, and this installation is done in the following directory:-

  • %programfiles%

The use of this method allows threat actors to disguise their intentions and trick users into believing the Zoom software is legitimate that they are installing.

The IcedID malware is loaded by the malicious DLL file known as “maker.dll” and the execution of this program loads into memory the original IcedID DLL file.

During the installation process, the IcedID malware was loaded into the memory of computer as a 64-bit DLL file. And this is done with the following SHA256 hash:-

  • 2f3dddb9952e0268def85fbe47f253056077894ce6bd966120654324787b83be

As soon as the malware has been executed, it begins decrypting the data. Following that, it obtains the URL for the C&C and the Campaign ID from the server.

The IcedID banking malware is one of the most advanced and long-lasting viruses that has affected users all over the world for many years.

Numerous well-known threats have distributed it as a subsequent payload at various times, including the following:-

Recommendations

Here below we have mentioned all the recommendations:-

  • Ensure that you do not download pirated software from the internet.
  • Enforce multi-factor authentication and use strong passwords.
  • Make sure that automatic software updates are enabled.
  • Make use of a reputable anti-virus and internet security program.
  • Do not open email attachments or links from untrusted sources without verifying their authenticity first.   
  • Provide employees with information on how to protect themselves against phishing attacks and untrusted URLs.  
  • Malware-distributing URLs should be blocked.
  • To protect data from being exfiltrated by malware or Trojans, it is necessary to monitor the beacon at the network level.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book