FAQ: How to Protect Your Funds from Phishing Attacks in Fake Zoom Meetings

Original Title: "Seeing Is Not Believing | Phishing Analysis of Fake Zoom Meetings"

Original Source: SlowMist Technology

Editor's Note: Recently, phishing events using fake Zoom meeting links have frequently appeared in the crypto market. First, Kuan Sun, the founder of EurekaTrading, was deceived by a fake meeting invitation and suffered a phishing attack worth $13 million after installing a malicious plugin. Fortunately, the Venus protocol urgently suspended operations and, with the assistance of multiple security teams, successfully recovered the funds.

On September 8, Alexander Choi, the founder of the crypto trading community Fortune Collective, also disclosed on X platform that he had established contact with a fake project through private messages and mistakenly clicked on a phishing link disguised as a meeting, causing a loss of nearly $1 million.

Why do fake Zoom meeting phishing attacks repeatedly succeed? How can investors avoid them? In this article published by the well-known security company SlowMist on December 27, 2024, we remind everyone to protect their funds. The original text is as follows:

Background

Recently, multiple users on X reported a phishing technique that disguises as a Zoom meeting link. One victim installed malicious software after clicking on a malicious Zoom meeting link, resulting in the theft of encrypted assets, with losses reaching millions of dollars. In this context, the SlowMist Security Team analyzed these phishing incidents and attack methods, and traced the flow of hackers' funds.

(https://x.com/lsp8940/status/1871350801270296709)

Phishing Link Analysis

Hackers use domains like "app[.]us4zoom[.]us" to impersonate normal Zoom meeting links. The page is highly similar to a real Zoom meeting. When users click the "Start Meeting" button, it triggers the download of a malicious installation package instead of launching the local Zoom client.

By probing the above domain, we discovered the hacker's monitoring log address (https[:]//app[.]us4zoom[.]us/error_log).

Decryption revealed that this was a log entry from a script attempting to send a message via Telegram API, using Russian language.

The site was deployed 27 days ago, and the hacker may be Russian, and has been targeting victims since November 14, then monitoring whether any target clicks the download button on the phishing page via Telegram API.

Malware Analysis

The malicious installation package file is named "ZoomApp_v.3.14.dmg". Below is the interface opened by this Zoom phishing software, which induces users to execute the malicious script "ZoomApp.file" in Terminal, and during the execution process, it also induces users to input their machine password.

The following is the content executed by the malicious file:

After decoding the above content, we found that it is a malicious osascript script.

Further analysis revealed that the script searches for a hidden executable file named ".ZoomApp" and runs it locally. We performed a disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that the installation package indeed hides an executable file named ".ZoomApp".

Malicious Behavior Analysis

Static Analysis

We uploaded the binary file to a threat intelligence platform for analysis and found that the file has been marked as malicious.

(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)

Through static disassembly analysis, the following is the entry code of the binary file, used for data decryption and script execution.

The following is the data part, where most information is encrypted and encoded.

After decrypting the data, we found that the binary file ultimately executes the same malicious osascript script (the complete decrypted code has been shared at: https://pastebin.com/qRYQ44xa). This script collects information from the user's device and sends it to the backend.

The following is part of the code that enumerates different plugin ID path information.

The following is part of the code that reads computer KeyChain information.

After collecting system information, browser data, cryptocurrency wallet data, Telegram data, Notes data, and Cookie data, the malicious code compresses and sends them to the hacker-controlled server (141.98.9.20).

Since the malicious program induces users to enter passwords when running, and subsequent malicious scripts also collect KeyChain data from the computer (which may contain various passwords saved on the computer), hackers collect this data and attempt to decrypt it to obtain users' wallet mnemonic phrases, private keys, and other sensitive information, thereby stealing users' assets.

According to the analysis, the IP address of the hacker's server is located in the Netherlands and has been marked as malicious by the threat intelligence platform.

(https://www.virustotal.com/gui/ip-address/141.98.9.20)

Dynamic Analysis

Executing the malicious program dynamically in a virtual environment and analyzing the process, the following is the process monitoring information of the malicious program collecting local data and sending data to the backend.

MistTrack Analysis

We used the blockchain tracking tool MistTrack to analyze the hacker address provided by the victim, 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac: the hacker address has gained over $1 million, including USD0++, MORPHO, and ETH; among them, USD0++ and MORPHO were exchanged for 296 ETH.

According to MistTrack, the hacker address once received small ETH transfers from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which is suspected to be a platform providing transaction fees for the hacker address. This address (0xb01c) has only one source of income, but it has transferred small amounts of ETH to nearly 8,800 addresses, apparently a "platform specifically providing transaction fees."

Filtering the addresses that received transfers from this address (0xb01c) that are marked as malicious, we associated them with two phishing addresses. One of them is marked as Pink Drainer. Further analysis of these two phishing addresses shows that the funds were mainly transferred to ChangeNOW and MEXC.

Next, we analyzed the transfer of stolen funds, with a total of 296.45 ETH transferred to a new address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction time of the new address (0xdfe7) was July 2023, involving multiple chains, and the current balance is 32.81 ETH.

The main ETH transfer paths of the new address (0xdfe7) are as follows:

· 200.79 ETH -> 0x19e0…5c98f

· 63.03 ETH -> 0x41a2…9c0b

· 8.44 ETH -> converted to 15,720 USDT

· 14.39 ETH -> Gate.io

The subsequent transfers of these extended addresses are related to multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC, and are associated with multiple addresses marked by MistTrack as Angel Drainer and Theft. In addition, currently, 99.96 ETH remains in the address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

The USDT transaction traces of the new address (0xdfe7) are also numerous, being transferred to platforms such as Binance, MEXC, and FixedFloat.

Conclusion

The phishing method shared in this article involves hackers impersonating normal Zoom meeting links to induce users to download and execute malicious software. Malicious software usually has multiple harmful functions such as collecting system information, stealing browser data, and obtaining cryptocurrency wallet information, and transmitting the data to the hackers' controlled server. These attacks typically combine social engineering attacks and malware attack techniques, and users can easily fall victim if they are careless. The SlowMist Security Team recommends that users carefully verify meeting links before clicking, avoid executing software and commands from unknown sources, install antivirus software, and regularly update it. For more security knowledge, we recommend reading the "Blockchain Dark Forest Self-Rescue Manual" produced by the SlowMist Security Team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.

Original Link