Original title: (Seeing is not believing | Fake Zoom Meeting Phishing Analysis)
Original source: SlowMist Technology
Background
Recently, several users on X reported a phishing attack disguised as a Zoom meeting link, where one victim installed malware after clicking on the malicious Zoom meeting link, resulting in the theft of encrypted assets amounting to millions of dollars. In this context, the SlowMist security team analyzed this type of phishing incident and attack method and tracked the flow of funds from the hackers.
(https://x.com/lsp8940/status/1871350801270296709)
Phishing link analysis
Hackers use domains resembling 'app[.]us4zoom[.]us' to disguise as normal Zoom meeting links, and the page is highly similar to a genuine Zoom meeting. When users click the 'Start Meeting' button, it triggers the download of the malicious installer instead of launching the local Zoom client.
Through probing the above domain names, we found the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).
Decryption revealed that this is a log entry of the script attempting to send messages via the Telegram API, and the language used is Russian.
The site went live 27 days ago, the hackers are likely Russian, and they began searching for targets on November 14, monitoring whether targets clicked the download button on the phishing page via the Telegram API.
Malware analysis
The malicious installer file is named 'ZoomApp_v.3.14.dmg', below is the interface opened by this Zoom phishing software, which induces users to execute the malicious script ZoomApp.file in the Terminal, and during the execution process, it also induces users to enter their local password.
Below is the execution content of the malicious file:
After decoding the above content, it was discovered that this is a malicious osascript script.
Further analysis revealed that this script searches for a hidden executable file named '.ZoomApp' and runs it locally. We performed a disk analysis on the original installer 'ZoomApp_v.3.14.dmg' and found that the installer indeed hides an executable file named '.ZoomApp'.
Malicious behavior analysis
Static analysis
We uploaded this binary file to the threat intelligence platform for analysis and found that it has been flagged as malicious.
(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)
Through static disassembly analysis, the following image shows the entry code of this binary file, used for data decryption and script execution.
The following image shows part of the data, where most of the information appears to be encrypted and encoded.
After decrypting the data, it was found that this binary file ultimately also executes a malicious osascript script (the complete decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information from the user's device and sends it to the backend.
The following image shows part of the code enumerating different plugin ID path information.
The following image shows part of the code reading the computer KeyChain information.
After collecting system information, browser data, cryptocurrency wallet data, Telegram data, Notes data, and Cookie data, the malicious code will compress them and send them to a server controlled by the hacker (141.98.9.20).
Since the malicious program induces users to enter their passwords during execution, and the subsequent malicious scripts will also collect KeyChain data from the computer (which may contain various passwords saved on the computer), the hackers will attempt to decrypt the data after collection to obtain sensitive information such as the user's wallet mnemonic, private key, etc., thereby stealing the user's assets.
According to the analysis, the IP address of the hacker's server is located in the Netherlands and has been flagged as malicious by the threat intelligence platform.
(https://www.virustotal.com/gui/ip-address/141.98.9.20)
Dynamic analysis
Dynamically executing the malicious program in a virtual environment and analyzing the processes, the following image shows the process monitoring information of the malicious program collecting local data and sending data to the backend.
MistTrack analysis
We used the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address profited over 1 million USD, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.
According to MistTrack, the hacker address has previously received small amounts of ETH transferred from address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected to provide transaction fees for the hacker address. This address (0xb01c) has only one source of income, yet it transfers small amounts of ETH to nearly 8,800 addresses, seeming to be a 'platform specifically providing transaction fees'.
Filtering the outflow objects of the address (0xb01c) marked as malicious is associated with two phishing addresses, one of which is marked as Pink Drainer. Further analysis of these two phishing addresses shows that funds are primarily transferred to ChangeNOW and MEXC.
Next, we analyze the outflow of stolen funds, with a total of 296.45 ETH transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.
The first transaction time for the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.
The main ETH outflow path of the new address (0xdfe7) is as follows:
· 200.79 ETH -> 0x19e0…5c98f
· 63.03 ETH -> 0x41a2…9c0b
· 8.44 ETH -> Exchange for 15,720 USDT
· 14.39 ETH -> Gate.io
The subsequent outflows from the above address are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, MEXC, and are linked to multiple addresses marked as Angel Drainer and Theft by MistTrack. In addition, currently 99.96 ETH is remaining at address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.
The USDT transaction traces of the new address (0xdfe7) are also numerous, being transferred to platforms such as Binance, MEXC, FixedFloat, etc.
Summary
The phishing method shared this time is that hackers disguise themselves as normal Zoom meeting links to lure users into downloading and executing malware. The malware typically has multiple harmful functions such as collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, and sends the data to servers controlled by hackers. This type of attack usually combines social engineering attacks and trojan techniques, and users can easily fall victim with a slight carelessness. The SlowMist security team advises users to verify meeting links carefully before clicking, avoid executing unknown software and commands, install antivirus software, and update it regularly. For more security knowledge, please refer to the SlowMist security team's (Blockchain Dark Forest Self-Help Manual): https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.
