On Sunday, December 11th, cyber threat analysts @crep1x, @AnFam17, and others shared information on Twitter about a new way that IcedID malware was being distributed using a website that attempts to mimic a Zoom software download page using a typo-squatting domain name “va-zum[.]com.” IcedID, also known as BokBot, is a prevalent malware threat that originally stole online banking credentials. It is currently used to deliver other malware, which has led to ransomware in some cases. Typically, IcedID campaigns use malicious files attached to email messages to deliver the final payload – using a fake software installer website is a new tactic.
Analyst Notes
As of December 12th, the malicious website was still active and serving malware installation files. Binary Defense analysts noted that the malware installation program, named “ZoomInstallerFull.exe” drops a legitimate, signed copy of the real Zoom software installer as a Microsoft Installer package file named “ikm.msi” and installs it. It also drops a malicious DLL file named “ikm.aaa” and runs it via rundll32.exe. The DLL file was identified as IcedID. The Command and Control (C2) server contacted by this sample is ewgahskoot[.]com
#IcedID distributed as a fake installer masquerading Zoom from va-zum.]com. It seems to me that this is an unusual technique for the IcedID distribution
C2: ewgahskoot.]com (165.227.104.]80)
Campaign: 1441853872https://t.co/53K51SqkGq pic.twitter.com/1W4S86R0PQ— crep1x (@crep1x) December 11, 2022