Emerging Threats

New phishing campaign tricks Zoom users into downloading IcedID

Nihad Hassan

Jul 17, 20232 min read

New phishing campaign tricks Zoom users into downloading IcedID (Header)

According to a recent report, Cyble Research & Intelligence Labs (CRIL) have discovered a new phishing campaign that mimics the Zoom application website. Zoom, the leading online digital meeting and video conferencing app, gained vast popularity during the COVID-19 pandemic due to the associated increase in remote work. The attack, first identified in late December 2022, uses a phishing website disguised as a link to open the Zoom app. In reality, the site hosts a piece of malware known as IcedID.

How the IcedID phishing campaign targets Zoom users

The typical distribution methods for IcedID malware are spam emails containing malicious Microsoft Office attachments. However, in this latest campaign, hackers have implemented a phishing website (explorezoom.com) that claims to host the Zoom app. The objective is to trick Zoom users into installing malware on their devices.

The CRIL report notes that this phishing site mimics the legitimate homepage of the Zoom website, complete with a download button. However, if an unsuspecting user clicks the button to attempt to download the app, they will be prompted to download a program named “ZoomInstallerFull.exe.” This installer contains the IcedID malware disguised within it.

Zoom phishing website
The explorezoom.com phishing website, now blocked by Safari

What is IcedID malware?

The IcedID malware (also known as BokBot) was first detected in 2017. It targets financial institutions (e.g., online banking systems, e-commerce websites, and credit card providers) and aims to steal user account credentials. IcedID later evolved into a malware dropper used to quietly install other types of malware, including Emotet, TrickBot, and Hancitor, into infected devices. IcedID is used to perform various malicious actions, primarily stealing victims’ online banking account credentials and monitoring their web browsing history.

How to protect yourself from the IcedID phishing campaign

In addition to the conventional cybersecurity best practices, there are several actions you can take to ensure that you don’t fall victim to this new scam:

Don’t download software from third-party websites

Only download the Zoom app from its official website: www.zoom.us. On mobile devices, download the Zoom app only from official stores such as the App Store for Apple devices and the Google Play Store for Android devices.

Check domain names

Always check the name and spelling of any domain you are visiting, especially before interacting with it. For example, the latest IcedID campaign uses the “explorezoom.com” domain name. Alert users will note that this is not the official Zoom domain name.

Install an antivirus app

A dedicated antimalware remover tool, kept regularly updated, is one of the most effective forms of defense against new and emerging cybersecurity threats. CleanMyMac X powered by Moonlock Engine can help you protect your Mac from malware.

The Malware Removal module in CleanMyMac X, powered by Moonlock Engine

Hackers are continually developing new means to distribute the IcedID malware. Fortunately, you can follow the prevention tips in this post to give your device the best possible chance of remaining free of infection.

Nihad Hassan Nihad Hassan
Nihad is an independent cybersecurity consultant and cyber OSINT expert, online blogger, and book author. He has been researching different areas of information security for more than 15 years.