Original Title: "Seeing is Not Believing | Analysis of Fake Zoom Meeting Phishing"
Original Source: Slow Fog Technology
Editor's Note: Recently, the crypto market has seen a surge in phishing incidents using fake Zoom meeting links. First, Kuan Sun, the founder of EurekaTrading, fell victim to a phishing attack worth $13 million after mistakenly trusting a fake meeting invitation and installing a malicious plugin. Fortunately, the Venus protocol was urgently suspended, and with the assistance of multiple security teams, the funds were successfully recovered.
On September 8, Alexander Choi, the founder of the crypto trading community Fortune Collective, also disclosed that he had established contact with a fake project through private messages on the X platform. During the communication, he mistakenly clicked on a scam link disguised as a meeting, resulting in a loss of nearly $1 million. Why do fake Zoom meeting phishing attacks keep succeeding? How can investors avoid them to protect their funds? This article was first published on December 27, 2024, and the original text is as follows:
Background
Recently, several users on X reported a phishing attack method disguised as Zoom meeting links. One victim clicked on a malicious Zoom meeting link and installed malware, leading to the theft of crypto assets with losses amounting to millions of dollars. Against this backdrop, the Slow Fog security team analyzed these phishing incidents and attack methods, tracking the flow of funds from the hackers.
(https://x.com/lsp8940/status/1871350801270296709)
Phishing Link Analysis
Hackers used a domain resembling "app[.]us4zoom[.]us" to disguise it as a normal Zoom meeting link. The page closely resembled a real Zoom meeting, and when users clicked the "Start Meeting" button, it triggered the download of a malicious installation package instead of launching the local Zoom client.
By probing the aforementioned domain, we discovered the hackers' monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).
Decryption revealed that this was a log entry from a script attempting to send messages via the Telegram API, using the Russian language.
The site was deployed 27 days ago, and the hackers are likely Russian. They began targeting victims on November 14 and monitored whether targets clicked the download button on the phishing page via the Telegram API.
Malware Analysis
The malicious installation package is named "ZoomApp_v.3.14.dmg." Below is the interface opened by this Zoom phishing software, which entices users to execute the malicious script ZoomApp.file in Terminal, and during the execution process, it also prompts users to enter their local password.
Here is the execution content of the malicious file:
Decoding the above content reveals that it is a malicious osascript script.
Further analysis shows that the script searches for a hidden executable file named ".ZoomApp" and runs it locally. We conducted a disk analysis of the original installation package "ZoomApp_v.3.14.dmg" and found that it indeed concealed an executable file named ".ZoomApp."
Malicious Behavior Analysis
Static Analysis
We uploaded the binary file to a threat intelligence platform for analysis and found that the file had already been marked as malicious.
(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)
Through static disassembly analysis, the following image shows the entry code of the binary file, which is used for data decryption and script execution.
The following image shows the data section, where most information appears to be encrypted and encoded.
After decrypting the data, it was found that the binary file ultimately also executes a malicious osascript script (the complete decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information from the user's device and sends it to the backend.
The following image shows part of the code that enumerates different plugin ID path information.
The following image shows part of the code that reads the computer's KeyChain information.
After the malicious code collects system information, browser data, crypto wallet data, Telegram data, Notes data, and Cookie data, it compresses them and sends them to a server controlled by the hackers (141.98.9.20).
Since the malicious program prompts users to enter their passwords during execution, and the subsequent malicious script also collects KeyChain data from the computer (which may contain various passwords saved by the user), the hackers will attempt to decrypt the data after collection to obtain sensitive information such as the user's wallet mnemonic phrases and private keys, thereby stealing the user's assets.
According to analysis, the IP address of the hackers' server is located in the Netherlands and has been marked as malicious by threat intelligence platforms.
(https://www.virustotal.com/gui/ip-address/141.98.9.20)
Dynamic Analysis
In a virtual environment, we dynamically executed the malicious program and analyzed the processes. The following images show the monitoring information of the malicious program collecting local data and sending data to the backend.
MistTrack Analysis
We used the on-chain tracking tool MistTrack to analyze the hacker address provided by the victim, 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac: the hacker address profited over $1 million, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.
According to MistTrack, the hacker address had received small amounts of ETH transferred from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected to be providing transaction fees for the hacker address. This address (0xb01c) has only one source of income but has transferred small amounts of ETH to nearly 8,800 addresses, seemingly functioning as a "fee provision platform."
Filtering the addresses (0xb01c) for outgoing transactions marked as malicious, two phishing addresses are associated, one of which is labeled as Pink Drainer. Further analysis of these two phishing addresses shows that the funds are primarily transferred to ChangeNOW and MEXC.
Next, we analyze the outflow of the stolen funds, with a total of 296.45 ETH transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.
The first transaction of the new address (0xdfe7) occurred in July 2023, involving multiple chains, and the current balance is 32.81 ETH.
The main ETH outflow paths from the new address (0xdfe7) are as follows:
- 200.79 ETH -> 0x19e0…5c98f
- 63.03 ETH -> 0x41a2…9c0b
- 8.44 ETH -> exchanged for 15,720 USDT
- 14.39 ETH -> Gate.io
The subsequent outflows from the above extended addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC, and are related to several addresses marked by MistTrack as Angel Drainer and Theft. Additionally, there is currently 99.96 ETH remaining at the address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.
The USDT transaction traces from the new address (0xdfe7) are also numerous, with transfers made to platforms like Binance, MEXC, and FixedFloat.
Summary
The phishing method shared in this report involves hackers disguising as legitimate Zoom meeting links to lure users into downloading and executing malware. The malware typically has multiple harmful functions, including collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, transmitting this data to servers controlled by the hackers. Such attacks often combine social engineering techniques with Trojan attack methods, making users vulnerable to falling victim with just a small mistake. The Slow Fog security team advises users to carefully verify meeting links before clicking, avoid executing software and commands from unknown sources, and to install antivirus software and update it regularly. For more security knowledge, please read the "Blockchain Dark Forest Self-Defense Handbook" produced by the Slow Fog security team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
