Skip to content

IcedID malware is targeting users with a modified Zoom app

  • by
  • 3 min read
What is phishing? Types of phishing scams and how to protect yourself?

Researchers over at Cyble have identified an IcedID malware campaign that’s using trojanised versions of the popular video conferencing app Zoom to target businesses and steal sensitive information in addition to dropping additional malware on the victim’s computer. 

The campaign is similar to one where hackers used Google Ads to impersonate legitimate programs. The threat actors would bundle malware alongside the program’s installation file and set up fake phishing sites to lure users into downloading malware. 

The fake Zoom download page. | Source: Cyble

Once on the target machines, the malicious download file would install the program the user downloaded and the Raccoon Stealer and the IcedID malware loader.

Cyble reports that this campaign is also working on a very similar structure where threat actors have set up fake phishing websites that look identical to the Zoom site. When users click the download button, a malicious version of Zoom merged with the IcedID malware loader is downloaded on the victim’s computer. 

Running this malicious file launches two separate processes in the Windows %temp% directory:

  • ikm.msi
  • maker.dll

While ikm.msi is a legitimate Zoom installer, maker.dll loads the full IcedID malware DLL into the system’s memory upon execution. This is done alongside ikm.msi’s execution to avoid suspicion and trick the user into thinking they’re installing a legitimate version of Zoom. 

Once loaded into memory, the malware undergoes a decryption process and obtains its Command and Control (C2) URL and campaign ID. From here on, the malware uses Windows API functions such as GetTickCount64(), GetUserNameW(), and CPUID to extract system information.

The dropper loads the original IcedID DLL file into memory upon execution. | Source: Cyble

This information is then converted into numerical data which is sent to the C2 server in the form of cookies. Additionally, when connected to the C2 server, the malware can drop additional malicious payloads in the %programdata% directory. 

According to Cyble, the C2 server wasn’t functioning at the time of detection. Additionally, the end payload responsible for extracting sensitive information, including financial details, could not be analysed. 

In the News: Razer Edge: Price, specs and release date unveiled

>