Hackers Used Modified Zoom Installer and Phishing Campaign to Deploy Trojan Banker

Hackers have used a modified Zoom installer to trick people into deploying IcedID malware on their systems, security researchers have found.

Like much of the malware in the Windows ecosystem, IcedID is actually a banking trojan that can intercept all information relating to banking from its victims. It's hard to deploy malware onto a computer from afar-- it's much easier to trick the victim into doing it by themselves.

Zoom has become one of the biggest targets of this type of campaign after its meteoric rise during the pandemic. The hackers' goal is to trick people into accessing the wrong link and downloading a modified version of the installer, usually through phishing.

"The threat actor behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities," said the Cyble Research & Intelligence Labs security researchers.

"Upon executing the ’ZoomInstallerFull.exe‘ executable, the malware drops the binaries ikm.msi, maker.dll binaries in the in the %temp% folder," researchers added. "The ’maker.dll‘ is a malicious libraries used to perform various malicious activities and load the IcedID malware, while ’ikm.msi‘ is a legitimate installer of the Zoom application."

Once the malware was deployed, it connected to the command & control servers, allowing the attackers to drop other types of malware in the same system. IcedID is dangerous in this regard as it can deploy other software besides the banking trojan.

Using phishing as a deployment method is new for IcedID, as it was usually found in email attachments until now.