|
Threat actors have been targeting Zoom and its users since the platform’s launch, and it’s easy to see why—the latest stats show it accounts for 3.3 trillion annual meeting minutes worldwide. It’s not surprising, therefore, that cyber attackers trailed their sights yet again on the communication app.
Cyble researchers published a technical analysis of the IceID malware recently distributed via a massive Zoom attack. They identified three indicators of compromise (IoCs)—two domains and an IP address—related to the threat. WhoisXML API researchers, in an effort to identify as many potential attack vectors as possible to enable utmost user protection, expanded their list of IoCs and found:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our deep dive by scouring through the IoCs’ DNS records.
DNS lookups for the two domains identified as IoCs led to the discovery of two IP addresses that aren’t in the Cyble report—172[.]67[.]163[.]25 and 104[.]21[.]15[.]157—both geolocated in the U.S. unlike the IoC 143[.]198[.]92[.]88, which traces its origin to Singapore.
To identify possible connections, we moved forward with reverse IP/DNS lookups for the three IP addresses. That provided 299 domains that shared the IoCs’ IP hosts. While none of them are being detected as malicious for now, sharing the IoCs’ infrastructure makes them suspicious at the very least and, therefore, worth monitoring. Some of the additional domains we found shared interesting similarities with the IoCs, such as that 109 of them had the same name server (NS) host—Cloudflare.
Next, we looked at the additional domains’ WHOIS records and compared their details with those belonging to the IoCs. Of the 117 with retrievable WHOIS records, 47 shared the IoCs’ creation year (2022) and 19 their registrars (17 for Namecheap, Inc. akin to explorezoom[.]com and two for Tucows, Inc. like trbiriumpa[.]com).
A total of 38, meanwhile, shared one of the IoCs’ registrant countries—U.S. None of them indicated Singapore in their WHOIS records.
We then looked for other domains that contained the strings the threat actors used in their attack. Our search led to the discovery of three more domains containing the string explorezoom—explorezoom[.]us, explorezoom[.]fun, and explorezoom[.]rocks. As you can see, they only differed from the IoC in that they used different top-level domain (TLD) extensions. While none of them were considered malicious, they could easily serve as substitutes to explorezoom[.]com.
Finally, given Zoom’s large global user base, we then sought to look for all domains and subdomains that contain the string zoom that could figure in future attacks against the platform and its users. Domains & Subdomains Discovery listed 20,000 additional web properties (10,000 domains and another 10,000 subdomains), 31 of which turned out to be malicious (30 were malware hosts and one was a confirmed spam source).
It’s also interesting to note that a bulk WHOIS lookup for the zoom-containing domain and subdomain names showed that only 30 belonged to Zoom based on the organization name their registrants’ indicated—Zoom Video Communications, Inc.
The remaining pages could thus serve as potential threat vectors if they get compromised or purchased then weaponized to distribute malware or spam targeting Zoom users.
Finally, apart from zoom, the domain and subdomain names also featured recurring strings, such as web, site, and online. The 10 most common strings found are shown in the following word map.
Many of these digital properties can host sites and pages mimicking the official Zoom download page, malware-laced Zoom tutorials, or publicly accessible prerecorded Zoom webcasts that may redirect to phishing or other malicious pages.
Any software or app with a huge user base is a prime cyber attack target. But avoiding the risks that threats targeting them pose is doable with a little help from WHOIS and DNS intelligence that can help security teams identify all potential attack entry points. Monitoring them for signs of malicious activity and blocking access to and from them are critical next steps.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix