The modified version of the popular video conferencing application Zoom has recently been discovered to distribute the IcedID banking malware, posing a considerable threat to both businesses and individuals. The IcedID malware functions as a loader, either downloading additional modules or delivering other malware onto compromised systems. This particular malware variant is being disseminated through a phishing website that prompts users to download the modified Zoom installer. Upon installation, two binaries are placed in the %temp% folder, while the Zoom application itself is installed in the %programfiles% directory to avoid arousing suspicion. The IcedID malware is then loaded into memory by a malicious DLL file called maker.dll. Once in memory, the malware decrypts data and retrieves URLs from a remote server, which contain credit card information and campaign identification. The IcedID malware has been impacting users worldwide for a number of years and is often distributed as a secondary payload by well-known threats such as Emotet and TrickBot. To mitigate this threat, it is recommended to refrain from downloading pirated software, implement multi-factor authentication, utilize strong passwords, enable automatic software updates, and employ reputable antivirus and internet security programs. Additionally, blocking URLs associated with malware distribution, monitoring network beacons, and educating personnel on phishing attacks and untrusted URLs can aid in preventing infection.
Key Takeaways
- IcedID malware is being delivered through a modified Zoom app, targeting businesses for sensitive information and additional malware.
- The malware is delivered through a phishing website, where users are prompted to download a modified Zoom installer file.
- The malicious DLL file maker.dll is used to load the IcedID malware into memory, which then decrypts data and obtains URLs for CC and Campaign ID from a server.
- To protect against such threats, it is recommended to avoid downloading pirated software, enforce multi-factor authentication, use strong passwords, enable automatic software updates, and use reputable antivirus and internet security programs.
IcedID Malware Overview
The IcedID malware, which acts as a loader and downloads modules or delivers other malware, has been observed to be delivered to victims through a phishing website, making it a concerning threat for businesses targeted for sensitive information and additional malware. IcedID malware detection is crucial for businesses as it has the ability to compromise systems and steal valuable data. This banking malware has a significant impact on businesses, as it can lead to financial loss, reputational damage, and legal consequences. The IcedID malware is distributed as a subsequent payload by well-known threats like Emotet and TrickBot, further increasing its potential to cause harm. It is essential for businesses to implement robust security measures, such as multi-factor authentication, strong passwords, and reputable antivirus programs, to mitigate the risk of IcedID malware infiltrating their systems. Regular monitoring, employee education, and blocking of malicious URLs are also recommended to protect against this threat.
Technical Analysis
Based on the technical analysis, the attackers created a phishing website that prompts users to download a modified installer file from a specific URL. This phishing website tricks users into downloading the Zoom app from an untrusted source, which exposes them to Zoom app vulnerabilities. Once the user downloads the installer file, two binaries, ikm.msi and maker.dll, are dropped in the %temp% folder. The ZoomInstallerFull.exe then executes the maker.dll file using rundll32.exe. To avoid suspicion, the Zoom app is installed in the %programfiles% directory. The malicious DLL file, maker.dll, is responsible for loading the IcedID banking malware into memory. This malware has a specific SHA256 hash and is known for decrypting data and obtaining URLs for credit card information and campaign IDs from a server. The IcedID malware is often distributed as a subsequent payload by well-known threats like Emotet and TrickBot. The technical analysis reveals the tactics used by the attackers to deliver the banking malware through a modified Zoom app and emphasizes the importance of being cautious while downloading software and verifying the authenticity of websites.
| Phishing Website Tactics | Zoom App Vulnerabilities |
|---|---|
| – Creation of a deceptive website with a download button | – Exploitation of vulnerabilities in the Zoom app |
| – Prompting users to download the modified installer file | – Potential for unauthorized access to sensitive information |
| – Tricking users into believing the website is legitimate | – Possibility of additional malware being delivered |
| – Evasion of detection and suspicion through installation in %programfiles% directory |
Zoom Software Vulnerability
In the context of software vulnerabilities, the Zoom application exposes users to potential risks and unauthorized access to sensitive information. The Zoom software vulnerability poses significant concerns for users due to its potential to compromise data security. While Zoom has implemented various security measures to address these vulnerabilities, it is crucial for users to remain vigilant and take additional precautions. Users should ensure that they download the Zoom app from official and reputable sources to avoid modified versions that may contain malware. It is also essential to keep the Zoom app and other software up to date by enabling automatic updates. Additionally, users should utilize reputable antivirus and internet security programs to protect against potential threats. By following these security measures, users can minimize the risks associated with the Zoom software vulnerability.
Security Recommendations
To enhance cybersecurity measures, it is recommended to enforce multi-factor authentication, enable automatic software updates, and utilize reputable antivirus and internet security programs. These measures are crucial in preventing phishing attacks and detecting malware. Multi-factor authentication adds an extra layer of security by requiring users to provide additional verification, such as a unique code sent to their mobile device, in addition to their password. Enabling automatic software updates ensures that the latest security patches and fixes are installed, reducing the risk of vulnerabilities. Reputable antivirus and internet security programs are essential for detecting and blocking malicious software, including phishing websites and malware. These programs use sophisticated algorithms and databases to identify and quarantine potential threats, safeguarding against unauthorized access and data breaches. By implementing these recommendations, organizations can strengthen their defenses against phishing attempts and enhance their malware detection capabilities.
Protection Measures
Protection measures can be implemented to safeguard against the distribution of malware and to prevent data exfiltration. These measures include:
-
Network monitoring: Regularly monitoring the network for any suspicious activities or anomalies can help detect and prevent malware distribution. This can be done through the use of intrusion detection and prevention systems, as well as security information and event management (SIEM) tools.
-
Employee training and awareness: Educating employees about the risks of malware and phishing attacks is crucial. Training programs should cover topics such as how to identify and report suspicious emails, the importance of strong passwords, and the risks associated with downloading unauthorized software or visiting untrusted websites.
-
Implementing strong access controls: Restricting access to sensitive data and systems can help prevent unauthorized access and reduce the risk of malware infection. This can be achieved through the use of strong passwords, multi-factor authentication, and role-based access controls.
-
Regular software updates: Keeping all software, including operating systems, applications, and security tools, up to date with the latest patches and updates is essential for mitigating vulnerabilities that could be exploited by malware.
-
Implementing a robust backup and recovery strategy: Regularly backing up important data and having a well-defined recovery plan in place can help minimize the impact of a malware attack and ensure business continuity.
By implementing these protection measures, organizations can significantly reduce the risk of malware distribution and data exfiltration.
Frequently Asked Questions
How does the IcedID malware target businesses for sensitive information?
IcedID malware targets businesses to obtain sensitive information, posing significant consequences. Prevention measures include enforcing multi-factor authentication, using strong passwords, enabling automatic software updates, and implementing reputable antivirus and internet security programs.
What are the specific steps involved in the technical analysis of the modified Zoom app?
The technical analysis steps involved in the modification of the Zoom app include creating a phishing website with a download button, prompting users to download the modified Zoom installer file from a specific URL, and dropping two binaries in the %temp% folder.
What other types of malware can be delivered through the phishing website used in this attack?
Phishing websites can deliver various types of malware, including ransomware and keyloggers. These malicious programs can exploit vulnerabilities, encrypt files, and steal sensitive information. It is crucial to be cautious and implement security measures to protect against such threats.
How long has the IcedID banking malware been affecting users worldwide?
The IcedID banking malware has been affecting users worldwide for an extended period. Its widespread impact and continued evolution indicate that it remains an active threat. The malware is distributed through various means, including phishing websites.
Can the IcedID malware be distributed through any other well-known threats besides Emotet and TrickBot?
Yes, the IcedID malware can be distributed through other well-known threats besides Emotet and TrickBot. It has been observed as a subsequent payload by various malware, highlighting potential vulnerabilities in the Zoom app and the impact of banking malware on individuals and businesses.
