Seeing is not believing | Analysis of fake Zoom meeting phishing

Background

Recently, several users on X reported a phishing attack disguised as a Zoom meeting link. One of the victims installed malware after clicking on the malicious Zoom meeting link, resulting in the theft of crypto assets and a loss of millions of dollars. In this context, the SlowMist security team analyzed this type of phishing incident and attack method, and tracked the flow of hackers' funds.

(https://x.com/lsp8940/status/1871350801270296709)

Phishing Link Analysis

Hackers use domain names such as "app[.]us4zoom[.]us" to disguise as normal Zoom meeting links. The page is highly similar to the real Zoom meeting. When the user clicks the "Start Meeting" button, it will trigger the download of the malicious installation package instead of launching the local Zoom client.

By probing the above domain name, we found the hacker’s monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).

After decryption, we found that this was a log entry when the script tried to send a message through the Telegram API, and the language used was Russian.

The site was deployed online 27 days ago. The hacker may be Russian and started looking for targets on November 14, and then monitored whether there were targets clicking the download button on the phishing page through the Telegram API.

Malware Analysis

The malicious installation package file is named "ZoomApp_v.3.14.dmg". The following is the interface opened by the Zoom phishing software, which induces users to execute the ZoomApp.file malicious script in Terminal, and also induces users to enter the local password during the execution process.

The following is the execution content of the malicious file:

After decoding the above content, it was found that this was a malicious osascript script.

Further analysis found that the script looks for a hidden executable file named ".ZoomApp" and runs it locally. We performed disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that the installation package did hide an executable file named ".ZoomApp".

Malicious behavior analysis

Static analysis

We uploaded the binary file to the threat intelligence platform for analysis and found that the file had been marked as a malicious file.

(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)

Through static disassembly analysis, the following figure is the entry code of the binary file, which is used for data decryption and script execution.

The following figure is the data part, and it can be found that most of the information has been encrypted and encoded.

After decrypting the data, it was found that the binary file also executed the malicious osascript script (the complete decryption code has been shared at: https://pastebin.com/qRYQ44xa), which collects information on the user's device and sends it to the background.

The following figure is part of the code that enumerates the path information of different plug-in IDs.

The following figure is part of the code that reads the computer KeyChain information.

After the malicious code collects system information, browser data, encrypted wallet data, Telegram data, Notes data, and Cookie data, it compresses them and sends them to the server controlled by the hacker (141.98.9.20).

Since the malicious program induces users to enter passwords when running, and subsequent malicious scripts also collect KeyChain data in the computer (which may contain various passwords saved by users on the computer), hackers will try to decrypt the data after collecting it, obtain sensitive information such as the user's wallet mnemonics and private keys, and steal the user's assets.

According to analysis, the IP address of the hacker server is located in the Netherlands and has been marked as malicious by the threat intelligence platform.

(https://www.virustotal.com/gui/ip-address/141.98.9.20)

Dynamic Analysis

Dynamically execute the malicious program in a virtual environment and analyze the process. The following figure shows the monitoring information of the malicious program collecting local data and sending data to the background.

MistTrack Analysis

We used the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address made a profit of more than 1 million US dollars, including USD0++, MORPHO and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.

According to MistTrack, the hacker address received a small amount of ETH transferred from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which is suspected to be a fee for the hacker address. The source of income for this address (0xb01c) is only one address, but it transferred a small amount of ETH to nearly 8,800 addresses, which seems to be a "platform dedicated to providing fees."

Filter the addresses marked as malicious in the transfer objects of this address (0xb01c), and associate them with two phishing addresses, one of which is marked as Pink Drainer. Extended analysis of these two phishing addresses shows that the funds are basically transferred to ChangeNOW and MEXC.

Then analyze the transfer of stolen funds. A total of 296.45 ETH was transferred to the new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction of the new address (0xdfe7) was in July 2023, involving multiple chains, and the current balance is 32.81 ETH.

The main ETH transfer paths of the new address (0xdfe7) are as follows:

200.79 ETH -> 0x19e0…5c98f

63.03 ETH -> 0x41a2…9c0b

8.44 ETH -> Exchanged for 15,720 USDT

14.39 ETH -> Gate.io

The subsequent transfers of the above extended addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, MEXC, and are related to multiple addresses marked as Angel Drainer and Theft by MistTrack. In addition, there are currently 99.96 ETH staying at the address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

The new address (0xdfe7) also has a lot of USDT transaction traces, which have been transferred to Binance, MEXC, FixedFloat and other platforms.

Summary

The phishing method shared this time is that hackers disguise themselves as normal Zoom meeting links to induce users to download and execute malware. Malware usually has multiple harmful functions such as collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, and transmits data to servers controlled by hackers. This type of attack usually combines social engineering attacks and Trojan attack techniques, and users will be caught if they are not careful. The SlowMist Security Team recommends that users carefully verify before clicking on the meeting link, avoid executing software and commands from unknown sources, install antivirus software and update it regularly. For more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-Guard Handbook" produced by the SlowMist Security Team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.