SlowMist has brought attention to a new phishing scam targeting cryptocurrency users. The scam disguises itself as fake Zoom meetings to distribute malware that steals sensitive data. It involves counterfeit Zoom links that trick victims into downloading malicious files aimed at extracting cryptocurrency assets.
According to blockchain security platform SlowMist, the attackers behind the scam used a sophisticated phishing technique involving a domain that mimicked the legitimate Zoom domain. The phishing website, “app[.]us4zoom[.]us,” looks very similar to the genuine Zoom website interface.
⚠️Beware of phishing attacks disguised as Zoom meeting links!🎣 Hackers collect user data and decrypt it to steal sensitive info like mnemonic phrases and private keys. These attacks often combine social engineering and trojan techniques. Read our full analysis⬇️… pic.twitter.com/kDExVZNUbv
— SlowMist (@SlowMist_Team) December 27, 2024
Victims are prompted to click a “Launch Meeting” button, which they expect to take them to a Zoom session. However, instead of opening the Zoom application, the button initiates the download of a malicious file titled “ZoomApp_v.3.14.dmg.”
Malware execution and data theft ploy uncovered
Once downloaded, the malicious file triggers a script that requests the user’s system password. The script executes a hidden executable named “.ZoomApp,” which is designed to access and collect sensitive system information, including browser cookies, KeyChain data, and cryptocurrency wallet credentials.
Per security experts, the malware is specifically tailored to target cryptocurrency users, with the intention of stealing private keys and other crucial wallet data. The downloaded package, once installed, will run a script called “ZoomApp.file.”
Upon execution, the script prompts users to enter their system password, unknowingly giving hackers access to sensitive data.
Crypto hacks through Zoom links – Source: SlowMist
After decrypting the data, SlowMist revealed that the script ultimately executes an osascript, which transfers collected information to the attackers’ backend systems.
SlowMist also traced the phishing site’s creation to 27 days ago, suspecting the involvement of Russian hackers. These hackers have been using Telegram’s API to monitor activity on the phishing site, tracking whether anyone clicked the download link. According to the security company’s analysis, the hackers began targeting victims as early as November 14.
Stolen funds moved through several exchanges
SlowMist used the on-chain tracking tool MistTrack to investigate the movements of stolen funds. The hacker’s address, identified as 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac, has reportedly profited more than $1 million in cryptocurrency, including USD0++, MORPHO, and ETH.
In a detailed analysis, MistTrack revealed that the hacker address had exchanged USD0++ and MORPHO for 296 ETH.
Stolen crypto movements tracked by MistTrack. Source: MistTrack
Further investigation showed that the hacker’s address received small ETH transfers from another address, 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which appeared to be responsible for providing transaction fees for the hacker’s scheme.
The address has been found to transfer small amounts of ETH to nearly 8,800 other addresses, suggesting it may be part of a larger platform dedicated to funding transaction fees for illicit activities.
ETH transfers between addresses linked to the Zoom link scam – Source: SlowMist
Once the stolen funds were gathered, they were funneled through various platforms. Binance, Gate.io, Bybit, and MEXC were among the exchanges that received the stolen cryptocurrency. The funds were then consolidated into a different address, with transactions flowing into several exchanges, including FixedFloat and Binance. There, the stolen funds were converted into Tether (USDT) and other cryptocurrencies.
The criminals behind this scheme have managed to evade direct capture by using complex methods to launder and convert their illicit gains into widely-used cryptocurrencies. SlowMist warned crypto enthusiaststhat the phishing site and associated addresses may continue to target unsuspecting cryptocurrency users.
From Zero to Web3 Pro: Your 90-Day Career Launch Plan