Original Title: 《Seeing is not believing | Analysis of Fake Zoom Meeting Phishing》

Original Source: Slow Fog Technology

Background

Recently, several users on X reported a phishing attack method disguised as a Zoom meeting link. One victim installed malware after clicking on a malicious Zoom meeting link, resulting in the theft of encrypted assets, with losses amounting to millions of dollars. Against this backdrop, the Slow Fog security team analyzed this type of phishing incident and attack method, tracking the flow of funds from the hackers.

(https://x.com/lsp8940/status/1871350801270296709)

Phishing Link Analysis

Hackers used a domain resembling "app[.]us4zoom[.]us" to disguise it as a normal Zoom meeting link. The page closely resembled a real Zoom meeting, and when users clicked the "Start Meeting" button, it triggered the download of a malicious installation package instead of launching the local Zoom client.

By probing the aforementioned domain, we discovered the hackers' monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).

Decryption revealed that this was a log entry from a script attempting to send messages via the Telegram API, with the language used being Russian.

The site was deployed 27 days ago, and the hackers may be Russian, having started targeting victims on November 14, then monitoring via the Telegram API to see if any targets clicked the download button on the phishing page.

Malware Analysis

The malicious installation package is named "ZoomApp_v.3.14.dmg." Below is the interface opened by this Zoom phishing software, which entices users to execute the malicious script ZoomApp.file in Terminal, and during the execution process, it also prompts users to enter their local password.

Here is the execution content of the malicious file:

Decoding the above content reveals that it is a malicious osascript script.

Further analysis shows that the script searches for a hidden executable file named ".ZoomApp" and runs it locally. We performed a disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that it indeed concealed an executable file named ".ZoomApp."

Malicious Behavior Analysis

Static Analysis

We uploaded the binary file to a threat intelligence platform for analysis and found that the file has been marked as malicious.

(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)

Through static disassembly analysis, the following image shows the entry code of the binary file, which is used for data decryption and script execution.

The following image shows the data section, where most information appears to be encrypted and encoded.

After decrypting the data, it was found that the binary file ultimately also executes a malicious osascript script (the complete decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information from the user's device and sends it to the backend.

The following image shows part of the code that enumerates different plugin ID path information.

The following image shows part of the code that reads the computer's KeyChain information.

After the malicious code collects system information, browser data, encrypted wallet data, Telegram data, Notes data, and Cookie data, it compresses them and sends them to a server controlled by the hackers (141.98.9.20).

Since the malicious program prompts users to enter their passwords during execution, and the subsequent malicious script also collects KeyChain data from the computer (which may contain various passwords saved by the user), the hackers will attempt to decrypt the data after collection to obtain sensitive information such as the user's wallet mnemonic and private keys, thereby stealing the user's assets.

According to analysis, the IP address of the hacker's server is located in the Netherlands and has currently been marked as malicious by threat intelligence platforms.

(https://www.virustotal.com/gui/ip-address/141.98.9.20)

Dynamic Analysis

In a virtual environment, the malicious program was dynamically executed and the process analyzed. The following images show the monitoring information of the malicious program collecting local data and sending data to the backend.

MistTrack Analysis

We used the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address profited over 1 million dollars, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.

According to MistTrack, the hacker address received small amounts of ETH transferred from address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected to be providing transaction fees for the hacker address. This address (0xb01c) has only one source of income but has transferred small amounts of ETH to nearly 8,800 addresses, seemingly functioning as a "platform specifically for providing transaction fees."

Filtering the outgoing targets from this address (0xb01c) that are marked as malicious, we found connections to two phishing addresses, one of which is marked as Pink Drainer. Further analysis of these two phishing addresses shows that the funds were primarily transferred to ChangeNOW and MEXC.

Next, we analyzed the outflow of the stolen funds, with a total of 296.45 ETH transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction of the new address (0xdfe7) occurred in July 2023, involving multiple chains, and the current balance is 32.81 ETH.

The main ETH outflow paths from the new address (0xdfe7) are as follows:

· 200.79 ETH -> 0x19e0…5c98f

· 63.03 ETH -> 0x41a2…9c0b

· 8.44 ETH -> exchanged for 15,720 USDT

· 14.39 ETH -> Gate.io

The subsequent outflows from the above extended addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC, and are related to several addresses marked by MistTrack as Angel Drainer and Theft. Additionally, there are currently 99.96 ETH remaining at address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

The USDT transaction traces from the new address (0xdfe7) are also numerous, being transferred to platforms such as Binance, MEXC, and FixedFloat.

Summary

The phishing method shared in this report involves hackers disguising as a normal Zoom meeting link to lure users into downloading and executing malware. The malware typically has multiple harmful functions, including collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, and transmits the data to servers controlled by the hackers. Such attacks often combine social engineering techniques and Trojan attacks, making users vulnerable to falling victim with just a small mistake. The Slow Fog security team advises users to carefully verify meeting links before clicking, avoid executing software and commands from unknown sources, and to install antivirus software and update it regularly. For more security knowledge, please read the "Blockchain Dark Forest Self-Defense Handbook" produced by the Slow Fog security team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。