On January 5, Cyble Research & Intelligence Labs published its discovery of a phishing campaign targeting users of the Zoom application. In this campaign, threat actors created a convincing webpage, explorezoom[.]com, that resembles an official Zoom domain and distributes IcedID malware. The phishing page encourages users to download a file called ZoomInstallerFull.exe, which is presented as a legitimate Zoom installer. However, this file is a concealed version of the IcedID malware that also downloads the Zoom application to obfuscate the malicious nature of the installer. IcedID, also known as BokBot, is a trojan used to steal banking credentials and is commonly distributed to businesses through
phishing emails containing malicious Microsoft Office file attachments. In addition, IcedID may act as a loader, with the ability to download additional malicious files. IcedID is not typically distributed through fake websites, making this phishing campaign an unusual method to spread this malware.

The NJCCIC advises users to only download software from the application’s official website or legitimate vendors and avoid pirated software from unofficial sources. Additionally, users are urged to avoid opening suspicious links or email attachments without verifying the authenticity of the sender. For more information contact us here at Cyber Command.