With the prevalence of Zoom meeting phishing incidents, how to ensure the security of your funds?

Original Title: "Seeing is Not Believing | Fake Zoom Meeting Phishing Analysis"

Original Source: SlowMist Technology

Editor's Note: Recently, the cryptocurrency market has once again seen frequent phishing events using fake Zoom meeting links. First, EurekaTrading founder Kuan Sun fell victim to a $13 million phishing attack after mistakenly trusting a fake meeting invitation and installing a malicious plugin. Fortunately, the Venus protocol halted operations urgently and, with the assistance of multiple security teams, successfully recovered the funds.

On September 8, Fortune Collective founder Alexander Choi also disclosed in a post that he established contact with a fake project through private messages on X platform, clicked on a phishing link disguised as a meeting during the conversation, resulting in a loss of nearly $1 million.

Why does fake Zoom meeting phishing succeed repeatedly? How can investors avoid it? SlowMist, a well-known security company in the industry, released this article on December 27, 2024, to remind everyone to safeguard their funds. The original article is as follows:

Background

Recently, several users on X reported a phishing attack method disguising itself as a Zoom meeting link. One victim clicked on a malicious Zoom meeting link, which led to the installation of malware, resulting in the theft of cryptocurrency assets and losses reaching millions of dollars. In this context, the SlowMist security team conducted an analysis of such phishing events and attack methods, and traced the hackers' fund flow.

(https://x.com/lsp8940/status/1871350801270296709)

Phishing Link Analysis

The hacker used a domain name like "app[.]us4zoom[.]us" to disguise as a legitimate Zoom meeting link. The page closely resembles a real Zoom meeting, and when a user clicks the "Start Meeting" button, it triggers the download of a malicious package instead of starting the local Zoom client.

Through investigation of the above domain, we identified the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).

Decryption revealed that this is a log entry of a script attempting to send a message through the Telegram API, using the Russian language.

The site was deployed online 27 days ago, the hacker may be Russian, and has been scouting for targets since November 14th, then monitoring through the Telegram API to see if any targets clicked the phishing page's download button.

Malware Analysis

The malicious installer package is named "ZoomApp_v.3.14.dmg". Below is the interface of this Zoom phishing software, which tricks users into running the ZoomApp.file malicious script in Terminal, and during the execution process, it also prompts users to enter their local password.

Below is the content of the malicious file execution:

Decoding the above content reveals that this is a malicious osascript script.

Further analysis reveals that this script looks for a hidden executable file named ".ZoomApp" and runs it locally. Through disk analysis of the original installer package "ZoomApp_v.3.14.dmg," we indeed found that the package hides an executable file named ".ZoomApp".

Malicious Behavior Analysis

Static Analysis

We uploaded this binary file to a threat intelligence platform for analysis and found that the file has already been flagged as malicious.

(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)

Through static disassembly analysis, the following is the entry code of this binary file, used for data decryption and script execution.

The following is the data section, where it can be observed that most information has been encrypted and encoded.

Upon decrypting the data, it was found that the binary file ultimately executes a malicious osascript script (the full decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information from the user's device and sends it to a backend server.

The following is a section of the code enumerating different plugin ID paths.

The following is a section of the code reading computer KeyChain information.

The malicious code, after gathering system information, browser data, encrypted wallet data, Telegram data, Notes data, and Cookie data, compresses them and sends them to a hacker-controlled server (141.98.9.20).

Due to the malicious program prompting users for passwords at runtime, and the subsequent malicious script collecting KeyChain data from the computer (potentially including various passwords saved on the computer by the user), hackers will attempt to decrypt the data to obtain sensitive information such as the user's wallet mnemonic phrase and private key, thereby stealing the user's assets.

According to analysis, the IP address of the hacker's server is located in the Netherlands and has currently been flagged as malicious by threat intelligence platforms.

(https://www.virustotal.com/gui/ip-address/141.98.9.20)

Dynamic Analysis

By dynamically executing this malicious program in a virtual environment and analyzing the process, the following image shows the process monitoring information of the malicious program collecting local data and sending data to the backend.

MistTrack Analysis

We used the on-chain tracking tool MistTrack to analyze the hacker's address provided by the victim: 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac. The hacker's address profited over $1 million, including USD0++, MORPHO, and ETH; USD0++ and MORPHO were exchanged for 296 ETH.

According to MistTrack, the hacker's address previously received small amounts of ETH from address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, presumably as a fee for the hacker's transaction. This address (0xb01c) received funds from only one address but sent small amounts of ETH to nearly 8,800 addresses, appearing to be a "fee-shifting platform."

Filtering out addresses marked as malicious among those the address (0xb01c) sent funds to revealed two phishing addresses, with one identified as Pink Drainer. Further analysis of these two phishing addresses showed that funds were mostly transferred to ChangeNOW and MEXC.

Next, an analysis of the stolen funds' outgoing transactions showed that a total of 296.45 ETH was transferred to a new address, 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction from the new address (0xdfe7) occurred in July 2023 and involved multiple blockchains. The current balance is 32.81 ETH.

The primary ETH outflow paths from the new address (0xdfe7) are as follows:

· 200.79 ETH -> 0x19e0…5c98f

· 63.03 ETH -> 0x41a2…9c0b

· 8.44 ETH -> Exchanged for 15,720 USDT

· 14.39 ETH -> Gate.io

The subsequent outflows from the extended addresses are linked to various platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC, and associated with multiple addresses marked by MistTrack as Angel Drainer and Theft. Additionally, there is currently 99.96 ETH held in address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

The USDT transaction trace of the new address (0xdfe7) is also very active, being transferred to platforms such as Binance, MEXC, FixedFloat, etc.

Summary

The phishing method shared this time is that hackers disguise themselves as a normal Zoom meeting link to lure users into downloading and executing malicious software. The malicious software usually has multiple harmful functions such as collecting system information, stealing browser data, obtaining cryptocurrency wallet information, etc., and transmits the data to a server controlled by the hacker. This type of attack usually combines social engineering attacks and Trojan horse attack techniques, and users will easily fall victim if they are not careful. SlowMist Security Team advises users to carefully verify before clicking on meeting links, avoid executing software or commands from unknown sources, install antivirus software, and update regularly. For more security knowledge, it is recommended to read the SlowMist Security Team's publication "Blockchain Dark Forest Self-Rescue Handbook": https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.

Original Article Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia