Title: "Seeing is not believing | Analysis of fake Zoom meeting phishing"
Source: Slow Mist Technology
Background
Recently, multiple users on X reported a phishing attack disguised as a Zoom meeting link, where one victim installed malware after clicking the malicious Zoom meeting link, resulting in a loss of millions of dollars in crypto assets. In this context, the Slow Mist security team analyzed this type of phishing incident and attack method, and tracked the flow of funds used by the hackers.
(https://x.com/lsp8940/status/1871350801270296709)
Phishing Link Analysis
The hackers used a domain like "app[.]us4zoom[.]us" to disguise themselves as a normal Zoom meeting link. The page is highly similar to the real Zoom meeting, and when the user clicks the "Start Meeting" button, it triggers the download of a malicious installation package instead of launching the local Zoom client.
Through probing the above domain, we found the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).
Decryption reveals that these are log entries of the script attempting to send messages via the Telegram API, using the Russian language.
The site was deployed 27 days ago, and the hackers are likely Russian, having started targeting victims on November 14th and then monitoring via the Telegram API for targets clicking the download button on the phishing page.
Malware Analysis
The malicious installation package is named "ZoomApp_v.3.14.dmg", and the following is the interface of the Zoom phishing software, which induces the user to execute the malicious ZoomApp.file script in Terminal, and also prompts the user to enter their local password during the process.
The following is the content of the execution of this malicious file:
After decoding the above content, it is found to be a malicious osascript script.
Further analysis reveals that the script searches for an executable file named ".ZoomApp" hidden in the local environment and runs it. We performed disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that the package indeed hides an executable file named ".ZoomApp".
Malicious Behavior Analysis
Static Analysis
We uploaded the binary file to the threat intelligence platform for analysis and found that the file has been marked as malicious.
(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)
Through static disassembly analysis, the figure below shows the entry code of the binary file, which is used for data decryption and script execution.
The figure below shows the data part, where most of the information is encrypted and encoded.
After decrypting the data, it was found that the binary file ultimately executes the same malicious osascript script (the full decryption code has been shared at https://pastebin.com/qRYQ44xa), which collects information from the user's device and sends it to the backend.
The figure below shows part of the code that enumerates different plugin ID path information.
The figure below shows part of the code that reads the computer's KeyChain information.
After collecting system information, browser data, encrypted wallet data, Telegram data, Notes data, and Cookie data, the malicious code compresses and sends them to the hacker-controlled server (141.98.9.20).
Since the malware prompts the user to enter their password during runtime, and the subsequent malicious script also collects KeyChain data from the computer (which may include passwords saved on the computer), the hackers can attempt to decrypt the data and obtain the user's seed phrase, private keys, and other sensitive information, thereby stealing the user's assets.
According to the analysis, the hacker server's IP address is located in the Netherlands and has been marked as malicious by the threat intelligence platform.
(https://www.virustotal.com/gui/ip-address/141.98.9.20)
Dynamic Analysis
By dynamically executing the malicious program in a virtual environment and analyzing the processes, the figure below shows the process monitoring information of the malicious program collecting local data and sending data to the backend.
MistTrack Analysis
We used the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address has earned over $1 million, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.
According to MistTrack, the hacker address once received a small amount of ETH from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which seems to be providing gas fees for the hacker address. The income source of this address (0xb01c) is only one address, but it transfers small amounts of ETH to nearly 8,800 addresses, seemingly a "platform dedicated to providing gas fees".
By filtering the addresses that the 0xb01c address transferred to and were marked as malicious, two phishing addresses were associated, one of which was marked as Pink Drainer. Expanding the analysis on these two phishing addresses, the funds were basically transferred to ChangeNOW and MEXC.
Next, we analyzed the withdrawal of the stolen funds, where 296.45 ETH was transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.
The first transaction of the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.
The main ETH withdrawal paths of the new address (0xdfe7) are as follows:
· 200.79 ETH -> 0x19e0…5c98f
· 63.03 ETH -> 0x41a2…9c0b
· 8.44 ETH -> exchanged for 15,720 USDT
· 14.39 ETH -> Gate.io
The subsequent transfers of the above extended addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC, and are related to addresses marked by MistTrack as Angel Drainer and Theft. In addition, currently, 99.96 ETH remains at the address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.
The USDT transaction trail of the new address (0xdfe7) is also very extensive, being transferred out to platforms such as Binance, MEXC, and FixedFloat.
Summary
The phishing method shared this time is that hackers disguise themselves as normal Zoom meeting links to induce users to download and execute malicious software. Malicious software usually has multiple harmful functions such as collecting system information, stealing browser data, and obtaining encrypted currency wallet information, and transmitting data to servers controlled by hackers. This type of attack often combines social engineering attacks and Trojan attacks. Users will be vulnerable if they are not careful. The Slowmist security team recommends that users carefully verify before clicking on the meeting link, avoid executing software and commands from unknown sources, install antivirus software and update it regularly. For more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-help Handbook" produced by the Slowmist security team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.
