Threat Awareness – IcedID Banking Trojan Changes Strategy to Zoom Phishing Sites

Cyble has posted a blog discussing its analysis of a recently discovered phishing campaign targeting Zoom in order to deliver IcedID malware, also known as BokBot. This malware is a banking trojan whose purpose is to steal banking credentials from victims. IcedID also functions as a loader capable of downloading further malware (including ransomware) and is commonly associated with the Emotet botnet. IcedID has been observed traditionally targeting businesses to steal payment information using compromised Office attachments. However, this latest campaign is instead composed of a phishing webpage designed to look like the Zoom website, more specifically the software download page. The blog provides further technical analysis and indicators of compromise (IoCs) to detect relevant activity. Read more at Cyble here.

Additional Resources on IcedID

• FBI FLASH: Indicators of Compromise Associated with IcedID (WaterISAC)
• Security Primer – IcedID (Center for Internet Security)
• IcedID Botnet Distributors Abuse Google PPC to Distribute Malware (TrendMicro)
• More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID (Unit 42)
• Spoofed Invoice Used to Drop IcedID (Fortinet)