Fake Zoom meeting phishing leads to million-dollar losses, Depth analysis of attack methods

Original Title: "Seeing is Not Believing | Analysis of Fake Zoom Meeting Phishing"

Original source: Slow Mist Technology

Editor's Note: Recently, the cryptocurrency market has seen a rise in phishing incidents involving fake Zoom meeting links. First, Kuan Sun, founder of EurekaTrading, fell victim to a phishing attack worth $13 million after mistakenly trusting a fake meeting invitation and installing malicious plugins. Fortunately, the Venus protocol was urgently suspended, and with the assistance of several security teams, the funds were successfully recovered.

On September 8, Alexander Choi, founder of the crypto trading community Fortune Collective, also posted revealing that he had established contact with a fraudulent project through private messages on the X platform. During the communication, he accidentally clicked on a phishing link disguised as a meeting, resulting in nearly 1 million dollars in losses. Why do fraudulent Zoom meeting phishing attempts keep succeeding? How can investors avoid them to protect their funds? This article was first published on December 27, 2024, and the original text is as follows:

####Background

Recently, multiple users on X reported a phishing attack tactic disguised as a Zoom meeting link, in which one victim installed malware after clicking on the malicious Zoom meeting link, resulting in stolen cryptocurrency assets with losses amounting to millions of dollars. Against this backdrop, the Slow Mist security team conducted an analysis of such phishing incidents and attack methods, and tracked the flow of funds from the hackers.

()

####Phishing Link Analysis

Hackers are disguising themselves as normal Zoom meeting links using domain names like "app[.]us4zoom[.]us". The page is highly similar to a real Zoom meeting, and when users click the "Start Meeting" button, it triggers the download of a malicious installation package instead of launching the local Zoom client.

Through the domain probing mentioned above, we discovered the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).

The decryption reveals that this is a log entry for a script attempting to send a message via the Telegram API, using the Russian language.

The site was launched 27 days ago, and the hacker may be Russian. They started targeting potential victims on November 14 and monitored through the Telegram API to see if there were any clicks on the download button of the phishing page.

####Malware Analysis

The malicious installation package is named "ZoomApp_v.3.14.dmg". Below is the interface opened by this Zoom phishing software, which诱导用户在 Terminal 中执行 ZoomApp.file 恶意脚本，并且执行过程中还会诱导用户输入本机密码。

The following is the execution content of the malicious file:

After decoding the above content, it was found to be a malicious osascript script.

Further analysis reveals that the script searches for a hidden executable file named ".ZoomApp" and runs it locally. We conducted a disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that the installation package indeed hid an executable file named ".ZoomApp".

####Malicious Behavior Analysis

#####Static Analysis

We uploaded the binary file to the threat intelligence platform for analysis and found that it has been flagged as a malicious file.

()

Through static disassembly analysis, the following diagram shows the entry code of the binary file, which is used for data decryption and script execution.

The image below shows the data section, where it can be observed that most of the information has been encrypted and encoded.

After decrypting the data, it was found that the binary file ultimately executes a malicious osascript script as well (the complete decryption code has been shared at:

The following code is a part that enumerates the path information of different plugin IDs.

The following code snippet reads the KeyChain information from the computer.

After the malicious code collects system information, browser data, encrypted wallet data, Telegram data, Notes data, and Cookie data, it compresses and sends them to a hacker-controlled server (141.98.9.20).

Due to malicious programs that induce users to enter passwords while running, and subsequent malicious scripts that collect KeyChain data from the computer (which may include various passwords saved on the computer), hackers will attempt to decrypt the data after collection, obtaining sensitive information such as the user's wallet mnemonic phrases and private keys, thereby stealing the user's assets.

According to analysis, the IP address of the hacker's server is located in the Netherlands and has currently been flagged as malicious by a threat intelligence platform.

()

#####Dynamic Analysis

Dynamically execute the malicious program in a virtual environment and analyze the process. The image below shows the process monitoring information of the malicious program collecting local data and sending data to the backend.

####MistTrack Analysis

We use the on-chain tracking tool MistTrack to analyze the hacker address provided by the victim 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac: the hacker address profited over 1 million USD, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.

According to MistTrack, the hacker address has received small amounts of ETH transferred from address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected to be providing transaction fees for the hacker address. The income source of this address (0xb01c) comes from only one address but has transferred small amounts of ETH to nearly 8,800 addresses, seemingly acting as a "platform dedicated to providing transaction fees."

Filter out the addresses marked as malicious from the outgoing objects of this address (0xb01c), which are associated with two phishing addresses, one of which is marked as Pink Drainer. Further analyze these two phishing addresses, as funds are primarily transferred to ChangeNOW and MEXC.

Next, analyze the transfer situation of the stolen funds, a total of 296.45 ETH has been transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction time for the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.

The main ETH withdrawal path for the new address (0xdfe7) is as follows:

0x19e0…5c98f

0x41a2…9c0b

exchanged for 15,720 USDT

Gate

The subsequent transfers from the above extended address are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate, and MEXC, and are related to several addresses marked by MistTrack as Angel Drainer and Theft. In addition, there are currently 99.96 ETH remaining at address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

The USDT transaction traces of the new address (0xdfe7) are also very numerous, being transferred to platforms such as Binance, MEXC, and FixedFloat.

####Summary

The phishing method shared this time involves hackers disguising themselves as legitimate Zoom meeting links, luring users into downloading and executing malware. The malware typically has multiple harmful functions such as collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, transmitting the data to servers controlled by the hackers. Such attacks often combine social engineering tactics and Trojan attack techniques, making it easy for users to fall victim with a moment of carelessness. The Slow Mist security team advises users to verify meeting links cautiously before clicking, avoid executing software and commands from unknown sources, install antivirus software, and update it regularly. For more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-Rescue Manual" produced by the Slow Mist security team: