Modified Zoom App Spreading Banking Malware, Putting Zoom Users at Risk

Cybercriminals have launched a phishing campaign targeting Zoom video-conferencing application users. The malicious site masquerades as the official Zoom site in an attempt to download IcedID malware onto any unsuspecting users who visit.

Modified Zoom App Spreading Banking Malware, Putting Zoom Users at Risk

Key Points

A modified Zoom app is being used to distribute IcedID banking malware.
IcedID malware is a banking Trojan that can steal sensitive information.
Users are advised to be cautious when clicking on links, especially from unfamiliar sources, to protect against these attacks.
Using a well-known and trusted brand such as Zoom in a phishing attack increases the chances of a successful infection.
Monitoring and logging system activity and stay informed about the latest malware threats and trends can help detect and prevent malware infections.

Cybercriminals have launched a phishing campaign targeting Zoom video-conferencing application users. The malicious site masquerades as the official Zoom site in an attempt to download IcedID malware onto any unsuspecting users who visit. This particular malware, also known as “BokBot,” is designed to steal user banking credentials and primarily targets businesses.

IcedID is usually disseminated via spam emails, but in this case, the threat actors have utilized a phishing website to deliver their malicious payload – a break from their usual methods. IcedID carries out man-in-the-browser attacks to acquire login credentials for banking sessions. The attackers frequently alter their IcedID operations to evade detection from security scanners.

YouTube video

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

What’s the Background Story?

IcedID, also known as BokBot, began as a banking Trojan in 2017 and later became a tool for delivering other types of malware. It is similar to Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin. IcedID is delivered through various methods, particularly following Microsoft’s decision to block macros in Office files from the web.

Reports detail an attack that starts with an ISO image file within a ZIP archive, leading to the execution of IcedID. The malware establishes itself on the infected host by creating a scheduled task. It connects to a remote server to download additional payloads, such as the Cobalt Strike Beacon, for further reconnaissance.

By utilizing IT tools, attackers can create additional access to a system, known as a “backdoor,” in case their primary methods are detected and eliminated. These tools are less likely recognized by antivirus software or endpoint detection and response systems and may also be dismissed as false alarms. This is a common practice among attackers to ensure a second chance to infiltrate the targeted systems.

Modified Zoom App Distributing IcedID Banking Malware

Cyble Research & Intelligence Labs (CRIL) have reported that threat actors have modified the popular video conferencing app Zoom and used a fake website to deliver malware to Zoom users through a phishing attack. The malicious actors have taken advantage of the trust users have in the Zoom brand to trick them into downloading malware onto their devices.

The recent phishing campaign against potential Zoom users clearly indicates how malicious actors are taking advantage of the popularity of video conferencing technology. This campaign contains emails containing links to malicious sites, where unsuspecting victims are then prompted to download malware onto their systems.

Organizations and individuals need to understand the risks associated with video conferencing platforms and the importance of implementing basic security measures such as two-factor authentication and encryption. By taking the necessary precautions, users can help ensure that their data remains secure while also ensuring the safety of their systems from malicious actors.

The Rise of Advanced Software Impersonation Tactics

The latest phishing campaign to target potential Zoom users is a clear example of malicious software impersonations becoming increasingly sophisticated. Cybercriminals are leveraging the increased demand for video conferencing software to exploit unsuspecting victims.

Software impersonation tactics involve abusing tools and processes already present on a target’s system rather than introducing new malware. This approach makes it more difficult for traditional security measures to detect and prevent attacks, as the tools are not inherently malicious.

One of the reasons software impersonation tactics are used so often is the ability to evade detection by antivirus and endpoint detection and response (EDR) systems. These systems are typically designed to detect known malware and may not be able to recognize the abuse of legitimate tools as a threat. Additionally, software impersonation tactics can establish persistence on a target’s system, allowing the attacker to maintain access even after the initial intrusion.

Examples of software impersonation tactics include:

Utilizing built-in Windows commands and scripts, such as PowerShell or WMI, to execute malicious code
Abusing legitimate software, such as remote access tools or system management tools, to gain unauthorized access to a system
Creating scheduled tasks or services to maintain persistence on the target’s system

To protect against software impersonation tactics, it is important to have a comprehensive security strategy in place. This can include:

Regularly patching and updating software to reduce vulnerabilities
Implementing application control and whitelisting to limit the execution of unknown or untrusted programs
Monitoring and logging system activity to detect and investigate suspicious behavior

Cybercriminals who use malware are persistent in gaining access to endpoint devices. Their determination often results in successful malware infections. To defend against these attacks, adopting a proactive approach to securing endpoint computers is essential. This includes preventing the theft of sensitive user data, corporate information, and confidential data by malware.

Ensuring Protection Against Malware in 2023

The threat of malware will continue to be a significant concern for individuals and organizations in 2023 and beyond. With the increasing sophistication of cyberattacks and the growing number of connected devices, the risk of malware infections will only continue to rise.

To stay safe from malware in the coming year, adopting a multi-layered approach to security is crucial. This can include:

Regularly updating software and operating systems to ensure that known vulnerabilities are patched.
Implement endpoint security solutions, including antivirus, anti-malware, and intrusion detection and prevention capabilities.
Using a firewall to block unauthorized access to your network.
Implementing network segmentation to limit the potential impact of a malware infection.
Regularly performing backups and having a disaster recovery plan in place.

It is also important to keep abreast of the latest malware threats and trends. This can include subscribing to threat intelligence feeds and staying informed about new malware variants, attack vectors, and tactics cybercriminals use. In addition to these measures, it is also vital to have an incident response plan that outlines the steps to be taken in case of a malware infection. This will help minimize the infection’s impact and speed up the recovery process.

Final Thoughts

As we embark on the new year, the threat of malware remains a pressing concern for individuals and organizations alike. To effectively mitigate this risk, adopting a comprehensive and multi-layered approach to security is essential. This approach should include a combination of technical and non-technical measures to detect and prevent malware infections effectively.

From a technical standpoint, organizations should prioritize regular software updates and patching to reduce vulnerabilities, implement robust endpoint security solutions that include antivirus, anti-malware, intrusion detection, and prevention capabilities, and use firewalls to block unauthorized access to the network. Additionally, network segmentation can help limit the potential impact of a malware infection, and regular monitoring and logging of system activity can aid in detecting and investigating suspicious behavior. Regular backups and a robust disaster recovery plan can help minimize the impact of a malware infection and speed up the recovery process.

On the non-technical side, employee education and training on cyber hygiene best practices, such as identifying and avoiding phishing attempts and other types of social engineering tactics, can play a crucial role in preventing malware infections. It is essential to stay informed about the latest malware threats and trends, subscribing to threat intelligence feeds and keeping abreast of new malware variants, attack vectors, and tactics cybercriminals use. By taking these proactive steps, organizations can better defend against malware infections and minimize the potential impact of a successful attack.