Article reprinted from: SlowMist Technology
Author | Reborn, Lisa
Editor | Liz
background
Recently, many users on X reported a phishing attack disguised as a Zoom meeting link. One victim installed malware after clicking on the malicious Zoom meeting link, resulting in the theft of crypto assets and losses of millions of dollars. In this context, the SlowMist security team analyzed this type of phishing incidents and attack methods, and tracked the flow of hackers' funds.
(https://x.com/lsp8940/status/1871350801270296709)
Phishing link analysis
Hackers used domain names such as "app[.]us4zoom[.]us" to disguise themselves as normal Zoom meeting links. The pages were highly similar to real Zoom meetings. When users clicked the "Start Meeting" button, it would trigger the download of a malicious installation package instead of launching the local Zoom client.
By detecting the above domain name, we found the hacker’s monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).
Decryption revealed that this was a log entry when the script attempted to send a message via the Telegram API, and the language used was Russian.
The site was deployed online 27 days ago. The hacker may be Russian and started looking for targets on November 14. Then he monitored through the Telegram API to see if any target clicked the download button on the phishing page.
Malware Analysis
The malicious installation package file is named "ZoomApp_v.3.14.dmg". The following is the interface opened by the Zoom phishing software, which induces users to execute the ZoomApp.file malicious script in Terminal, and during the execution process, it also induces users to enter the local password.
The following is the execution content of the malicious file:
After decoding the above content, it was found that this was a malicious osascript script.
Further analysis revealed that the script looked for a hidden executable file named ".ZoomApp" and ran it locally. We performed disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that the installation package did hide an executable file named ".ZoomApp".
Malicious behavior analysis
Static Analysis
We uploaded the binary file to the threat intelligence platform for analysis and found that the file had been marked as a malicious file.
(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)
Through static disassembly analysis, the following figure is the entry code of the binary file, which is used for data decryption and script execution.
The picture below is the data part. It can be found that most of the information has been encrypted and encoded.
After decrypting the data, it was found that the binary file also eventually executed the malicious osascript script (the full decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information on the user's device and sends it to the backend.
The following figure is part of the code that enumerates the path information of different plug-in IDs.
The following figure is part of the code for reading the computer KeyChain information.
After the malicious code collects system information, browser data, encrypted wallet data, Telegram data, Notes data, and Cookie data, it compresses them and sends them to the server controlled by the hacker (141.98.9.20).
Since the malicious program induces users to enter passwords when it is running, and the subsequent malicious scripts will also collect KeyChain data in the computer (which may include various passwords saved by the user on the computer), hackers will try to decrypt the data after collecting it, obtain the user's wallet mnemonics, private keys and other sensitive information, and steal the user's assets.
According to analysis, the IP address of the hacker's server is located in the Netherlands and has been marked as malicious by the threat intelligence platform.
(https://www.virustotal.com/gui/ip-address/141.98.9.20)
Dynamic Analysis
The malicious program is dynamically executed in a virtual environment and the process is analyzed. The following figure shows the monitoring information of the malicious program collecting local data and sending data to the background.
MistTrack Analysis
We used the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address made a profit of more than 1 million US dollars, including USD0++, MORPHO and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.
According to MistTrack, the hacker address received a small amount of ETH transferred from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which is suspected to be a fee for the hacker address. The source of income for this address (0xb01c) is only one address, but it transferred a small amount of ETH to nearly 8,800 addresses, which seems to be a "platform dedicated to providing fees."
Filtering the addresses marked as malicious in the transfer objects of this address (0xb01c), we associate it with two phishing addresses, one of which is marked as Pink Drainer. Extending the analysis of these two phishing addresses, we find that the funds are basically transferred to ChangeNOW and MEXC.
Then we analyzed the transfer of the stolen funds. A total of 296.45 ETH was transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.
The first transaction of the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.
The main ETH transfer paths of the new address (0xdfe7) are as follows:
200.79 ETH -> 0x19e0…5c98f
63.03 ETH -> 0x41a2…9c0b
8.44 ETH -> Converted to 15,720 USDT
14.39 ETH -> Gate.io
The subsequent transfers from the above extended addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, MEXC, and are related to multiple addresses marked as Angel Drainer and Theft by MistTrack. In addition, there are currently 99.96 ETH staying at the address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.
There are also many USDT transaction traces in the new address (0xdfe7), which have been transferred to platforms such as Binance, MEXC, and FixedFloat.
Summarize
The phishing method shared this time is that hackers disguise themselves as normal Zoom meeting links to induce users to download and execute malware. Malware usually has multiple harmful functions such as collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, and transmits data to servers controlled by hackers. This type of attack usually combines social engineering attacks and Trojan attack techniques, and users will be fooled if they are not careful. The SlowMist Security Team recommends that users carefully verify before clicking on the meeting link, avoid executing software and commands from unknown sources, install antivirus software and update it regularly. For more security knowledge, it is recommended to read the (Blockchain Dark Forest Self-help Handbook) produced by the SlowMist Security Team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.
