Background

Recently, many users on X reported a phishing attack disguised as a Zoom meeting link One of the victims installed malware after clicking on a malicious Zoom meeting link, resulting in the theft of crypto assets and a loss of millions of dollars. In this context, the SlowMist security team analyzes such phishing incidents and attack methods, and tracks the hacker's fund flow.

(https://x.com/lsp8940/status/1871350801270296709)

Hackers use domain names in the form of "app[.]us4zoom[.]us" to disguise themselves as normal Zoom meeting links, and the page is the same as the real Zoom The meeting is highly similar, and when the user clicks the "Start Meeting" button, it will trigger the download of a malicious installation package instead of launching the local Zoom client.

By detecting the above domain name, we discovered the hacker’s monitoring log address (https[ :]//app[.]us4zoom[.]us/error_log).

Decryption found that this is a log entry when the script attempts to send a message through the Telegram API, The language used is Russian.

The site was deployed and launched 27 days ago. The hacker may be a Russian and from On November 14, we started looking for targets to invest in horse racing, and then monitored whether there were targets who clicked on the download button of the phishing page through the Telegram API.

The file name of the malicious installation package is "ZoomApp_v.3.14.dmg" , the following is the interface opened by the Zoom phishing software, inducing users to execute the ZoomApp.file malware in TerminalThe script is malicious and will induce the user to enter the local password during execution.

The following is the execution content of the malicious file:

After decoding the above content, it was found that it was a malicious osascript script.

Continuing analysis found that the script looks for a hidden file named ".ZoomApp" executable file and run locally. We performed disk analysis on the original installation package "ZoomApp_v.3.14.dmg" and found that the installation package did hide an executable file named ".ZoomApp".

We upload the binary file to the threat intelligence platform for analysis. The file was found to have been marked as malicious.

(https://www.virustotal.com/gui/file/e4b6285e183dd5e1c4e9eaf30cec886fd15293205e706855a48b30c890cbf5f2)

Through static disassembly analysis, the following figure shows the entry code of the binary file, which is used for data decryption and script execution.

The picture below is the data part. You can find that most of the information has been encrypted and encoded. .

After decrypting the data, it was found that the binary file eventually also executed a malicious osascript script ( The complete decryption code has been shared to: https://pastebin.com/qRYQ44xa), this script will collect information on the user's device and send it to the background.

The following figure is part of the code that enumerates the ID path information of different plug-ins.

The picture below is part of the code to read the computer KeyChain information.

The malicious code collects system information, browser data, encrypted wallet data, and Telegram data , Notes note data, cookie data and other information, they will be compressed and sent to a server controlled by the hacker (141.98.9.20).

Because the malicious program induces the user to enter the password when it is running, and the subsequent malicious script KeyChain data in the computer will also be collected (which may include various passwords saved by the user on the computer). After collecting it, the hacker will try to decrypt the data and obtain the user's wallet mnemonic phrase, private key and other sensitive information, thereby stealing the user's assets. .

According to analysis, the IP address of the hacker's server is located in the Netherlands and has been marked as malicious by the threat intelligence platform.

(https://www.virustotal.com/gui/ip-address/ 141.98.9.20)

Dynamicly execute the malicious program in the virtual environment and analyze the process. The following figure shows the process of the malicious program collecting local data and sending data to Background process monitoring information.

We use the on-chain tracking tool MistTrack to analyze the hacker address 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac provided by the victim: the hacker address made more than 1 million US dollars in profit, including USD0++, MORPHO and ETH; among them, USD0++ and MORPHO areConvert to 296 ETH.

According to MistTrack, the hacker address has received a small transfer from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e ETH, suspected of providing handling fees for hacker addresses. The income source of this address (0xb01c) is only one address, but it transfers small amounts of ETH to nearly 8,800 addresses. It seems to be a "platform specializing in providing handling fees."

Filter out the address (0xb01c) that is marked as malicious in the transfer object. It was associated with two phishing addresses, one of which was marked as Pink Drainer. After extensive analysis of these two phishing addresses, the funds were basically transferred to ChangeNOW and MEXC.

Then analyzing the transfer of stolen funds, a total of 296.45 ETH was transferred to New Address 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.

The first transaction of the new address (0xdfe7) will be in July 2023, involving Multiple chains, the current balance is 32.81 ETH.

The main ETH transfer path of the new address (0xdfe7) is as follows:

200.79 ETH -> 0x19e0…5c98f

63.03 ETH -> 0x41a2…9c0b

8.44 ETH -> converted to 15,720 USDT

14.39 ETH -> Gate .io

The above extended address will be subsequently transferred to multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate. io, MEXC related, and related to multiple addresses marked by MistTrack as Angel Drainer and Theft. Beyond that, there are currently 99.96 ETH stuck at address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.

There are also many traces of USDT transactions at the new address (0xdfe7), which were transferred out to Binance, MEXC, FixedFloat and other platforms.

The phishing method shared this time is that hackers disguise themselves as normal Zoom meeting links. Trick users into downloading and executing malware. Malware usually has multiple harmful functions such as collecting system information, stealing browser data and obtaining cryptocurrency wallet information, and transmits the data to servers controlled by hackers. This type of attack usually combines social engineering attacks and Trojan horse attack techniques, and users will fall victim to them if they are not careful. The SlowMist security team recommends that users verify carefully before clicking on meeting links, avoid executing software and commands from unknown sources, install anti-virus software and update it regularly. For more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-Rescue Handbook" produced by the SlowMist Security Team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md .