As of December 12th, the malicious website was still active and serving malware installation files. Binary Defense analysts noted that the malware installation program, named “ZoomInstallerFull.exe” drops a legitimate, signed copy of the real Zoom software installer as a Microsoft Installer package file named “ikm.msi” and installs it. It also drops a malicious DLL file named “ikm.aaa” and runs it via rundll32.exe. The DLL file was identified as IcedID. The Command and Control (C2) server contacted by this sample is ewgahskoot[.]com
#IcedID distributed as a fake installer masquerading Zoom from va-zum.]com. It seems to me that this is an unusual technique for the IcedID distribution
C2: ewgahskoot.]com (165.227.104.]80)
Campaign: 1441853872https://t.co/53K51SqkGq pic.twitter.com/1W4S86R0PQ— crep1x (@crep1x) December 11, 2022
