Threat Research

Zoom Users At Risk In Latest Malware Campaign – Cybersecurity Blog By Cyble

Securonix

Cyble researchers identified a phishing campaign that uses a Zoom-themed page to deliver the IcedID payload. Attackers drop two binaries, disguise Zoom installation, load IcedID in memory, gather system details, and communicate with a C2 server via a cookie-like data exfiltration. #IcedID #BokBot #Zoom #ZoomInstallerFull #maker.dll #ikm.msi #Cyble #CRIL #Emotet #TrickBot #Hancitor

Keypoints

  • The campaign targets Zoom application software with a phishing site delivering the IcedID banking Trojan loader, a departure from IcedID’s typical email-based delivery.
  • The attackers drop ikm.msi and maker.dll in the %temp% folder; maker.dll loads IcedID, while ikm.msi installs Zoom to conceal malicious activity.
  • The loader uses rundll32.exe with the init parameter to execute maker.dll, further masking its actions and appearance of legitimate software.

MITRE Techniques

  • [T1566.001] Phishing – Phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware. ‘highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware’
  • [T1218.011] Rundll32 – ‘executes maker.dll using rundll32.exe with the init parameter’ to run the loader
  • [T1036.003] Masquerading – ‘ikm.msi installer, which installs the Zoom application in the %programfiles% directory, … conceal their true intentions’
  • [T1140] Deobfuscate/Decode Files or Information – ‘performs a decryption operation and obtains the C&C URL and the Campaign ID’
  • [T1082] System Information Discovery – ‘gathers system information from the victim’s machine’ using various Windows APIs
  • [T1518] Security Software Discovery – ‘information about whether the victim’s machine is running in a virtual environment’
  • [T1055] Process Injection – ‘IcedID is loaded in memory via maker.dll’ (loader loads the IcedID payload into memory)
  • [T1071] Application Layer Protocol – ‘sends them to the C&C server as a “Cookie”’ (C2 communication)

Indicators of Compromise

  • [SHA256] 9108e1d22d74bc5397b8886edc4f0a84b8906436a648ef8a86f30cf7e08978dd – ZoomInstallerFull.exe
  • [SHA256] 3c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7 – Maker.dll (IcedID loader)
  • [SHA256] 2f3dddb9952e0268def85fbe47f253056077894ce6bd966120654324787b83be – IcedID payload
  • [URL] hxxps[:]//explorezoom[.]com/products/app/ZoomInstallerFull[.]exe – Zoom download link containing IcedID loader
  • [Domain] Trbiriumpa[.]com – C&C
  • [IP] 143.198.92.88 – C&C

Read more: https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign/