Original title: (Seeing is not believing | Fake Zoom Meeting Phishing Analysis)
Original source: SlowMist Technology
Background
Recently, several users on X reported a phishing attack disguised as a Zoom meeting link, where one victim installed malicious software after clicking the malicious Zoom meeting link, resulting in the theft of encrypted assets amounting to millions of dollars. In this context, the SlowMist security team conducted an analysis of such phishing incidents and attack methods, tracking the flow of hacker funds.
(https://x.com/lsp8940/status/1871350801270296709)
Phishing Link Analysis
The hacker used a domain resembling 'app[.]us4zoom[.]us' to disguise as a normal Zoom meeting link, with a page highly similar to a real Zoom meeting. When users click the 'Start Meeting' button, it triggers the download of a malicious installation package instead of starting the local Zoom client.
Through probing the above domain, we discovered the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).
Decryption reveals that this is a log entry when the script attempts to send messages via the Telegram API, using Russian language.
The site was deployed 27 days ago, and the hacker is likely Russian, having begun targeting users on November 14, then monitoring via the Telegram API to see if there were any target clicks on the phishing page's download button.
Malware Analysis
The malicious installation package is named 'ZoomApp_v.3.14.dmg'. The following is the interface opened by this Zoom phishing software, luring users to execute the malicious script ZoomApp.file in Terminal, and during the execution process, it will also induce users to input their local password.
The following are the execution contents of the malicious file:
After decoding the above content, we found that this is a malicious osascript script.
Further analysis reveals that the script looks for a hidden executable file named '.ZoomApp' and runs it locally. We conducted a disk analysis on the original installation package 'ZoomApp_v.3.14.dmg' and found that it indeed hid an executable file named '.ZoomApp'.
Malicious Behavior Analysis
Static Analysis
We uploaded the binary file to a threat intelligence platform for analysis and found that the file has been marked as malicious.
(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)
Through static disassembly analysis, the following diagram shows the entry code of the binary file, used for data decryption and script execution.
The following diagram shows the data part, revealing that most information has been encrypted and encoded.
Decryption of the data reveals that this binary file ultimately executes a malicious osascript script (the complete decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information from the user's device and sends it to the backend.
The following diagram shows part of the code that enumerates different plugin ID path information.
The following diagram shows part of the code that reads computer KeyChain information.
After the malicious code collects system information, browser data, cryptocurrency wallet data, Telegram data, Notes data, and Cookie data, it will compress and send them to the hacker-controlled server (141.98.9.20).
As the malicious program induces users to input passwords during its operation, and subsequent malicious scripts also collect KeyChain data from the computer (which may include various passwords saved by the user), once the hacker collects this data, they will attempt to decrypt it to obtain sensitive information like the user's wallet mnemonic, private keys, etc., thereby stealing the user's assets.
According to analysis, the IP address of the hacker's server is located in the Netherlands and has currently been marked as malicious by threat intelligence platforms.
(https://www.virustotal.com/gui/ip-address/141.98.9.20)
Dynamic Analysis
Dynamically executing the malicious program in a virtual environment and analyzing the processes, the following diagram shows the process of the malicious program collecting local data and sending it to the backend.
MistTrack Analysis
We used the on-chain tracking tool MistTrack to analyze the hacker address provided by the victim 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac: the hacker address profited over 1 million USD, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.
According to MistTrack, the hacker address had received small transfers of ETH from address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected to be a fee for the hacker address. The income source of this address (0xb01c) is only one address, yet it has sent small amounts of ETH to nearly 8,800 addresses, seemingly functioning as a 'platform that specifically provides fees.'
Filtering the malicious addresses from the outgoing objects of this address (0xb01c), we found connections to two phishing addresses, one of which is marked as Pink Drainer. An extended analysis of these two phishing addresses shows that funds were primarily transferred to ChangeNOW and MEXC.
Next, we analyzed the transfer of stolen funds, with a total of 296.45 ETH transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.
The first transaction time for the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.
The main ETH transfer paths from the new address (0xdfe7) are as follows:
· 200.79 ETH -> 0x19e0…5c98f
· 63.03 ETH -> 0x41a2…9c0b
· 8.44 ETH -> exchanged for 15,720 USDT
· 14.39 ETH -> Gate.io
The subsequent transfers from the extended addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, MEXC, and are related to multiple addresses marked by MistTrack as Angel Drainer and Theft. Additionally, 99.96 ETH is currently remaining in address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.
The new address (0xdfe7) also has many USDT transaction traces, transferred to platforms such as Binance, MEXC, FixedFloat, etc.
Summary
The phishing method shared in this presentation is that the hacker disguises as a normal Zoom meeting link to lure users into downloading and executing malicious software. The malicious software typically has multiple harmful functionalities, such as collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, sending the data to servers controlled by the hacker. These types of attacks often combine social engineering attacks and Trojan attack techniques, and users can easily fall victim with slight negligence. The SlowMist security team advises users to carefully verify before clicking meeting links, avoid executing software and commands from unknown sources, and install antivirus software with regular updates. For more security knowledge, please read the SlowMist security team's (Blockchain Dark Forest Self-Defense Handbook): https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.
