An advanced phishing campaign impersonating Zoom meeting invitations has culminated in the theft of millions in cryptocurrency, highlighting the growing risks of cyberattacks targeting UC platforms.
As first highlighted by blockchain security firm SlowMist, the phishing campaign mimicked legitimate Zoom meeting invitations, redirecting users to a counterfeit domain, “app[.]us4zoom[.]us,” which closely imitated Zoom’s official interface.
Unlike genuine invitations that launch the Zoom client, this fraudulent site prompted users to download a malicious file disguised as “ZoomApp_v.3.14.dmg”. This fake installation package served as the attack vector, enabling cybercriminals to infiltrate systems and steal cryptocurrency.
By leveraging users’ trust in widely used comms platforms, attackers have successfully deployed malware that infiltrates systems, compromising security and stealing sensitive data, including cryptocurrency wallets. This method seeks to capitalise on the familiarity and legitimacy of major platforms like Zoom to deceive users into unknowingly downloading malicious software.
More Specifics On The Hack Itself
SlowMist uncovered evidence of Russian-language scripts tracking downloads through the Telegram API, suggesting that the attackers were using this channel to monitor and manage the distribution of the malicious software. The site, deployed 27 days ago, indicates that the hackers are likely Russian. Since November 14, they have been targeting victims, utilising the Telegram API to monitor whether anyone clicked the download button on the phishing page.
Upon execution, the fake Zoom application deceived users into entering their system passwords, granting the malware elevated access to the device. The software then triggered a script named “ZoomApp.file” to run additional hidden code, ultimately activating a covert executable file labelled “.ZoomApp”.
This multi-layered process enabled the attackers to silently embed themselves deeper into the system, bypassing traditional security measures and allowing for further malicious actions such as data theft or the installation of persistent threats.
This program then collected sensitive data encompassing browser information, system data, cookies and KeyChain passwords, Telegram and Notes data, and cryptocurrency wallet keys.
The stolen data was sent to a hacker-controlled server at IP 141.98.9.20, flagged as malicious by threat platforms. Using MistTrack, SlowMist traced the hacker’s address, 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac, which accumulated over $1 million in stolen funds, including ETH, USD0++, and MORPHO. These were swapped for 296 ETH, some of which were laundered via Binance, Gate.io, and Swapspace.
SlowMist also identified a supporting address, 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected of facilitating fee transfers to nearly 8,800 addresses, linking the phishing operation to broader malicious networks like “Pink Drainer” and “Angel Drainer”.
How Did Zoom End 2024?
Last month, the company announced Zoom Workplace for Education, a new UCaaS solution to enhance collaboration in schools and universities.
Zoom Workplace for Education is pitched as a secure, all-in-one platform designed specifically for educational institutions. It integrates voice, video, chat, phone, live meetings, webinars, recording, transcription, translation services, and AV room integration, among other features.
Zoom highlights that this comprehensive solution is built to simplify collaboration and enhance learning experiences, offering educators and students a unified toolkit for seamless communication and meaningful engagement.
Also, in December, Zoom launched its new video SDK resale service.
The Zoom Video SDK is a fully programmable toolkit that enables customers to directly integrate Zoom’s core functionalities—video, audio, screen sharing, and chat—into their own applications. Designed for flexibility, the SDK delivers high-quality, real-time communication capabilities across industries such as healthcare, education, and more.
Zoom emphasises its potential to enhance user experiences by embedding reliable communication tools into tailored workflows and custom products.
from UC Today https://ift.tt/gu8xl6q
0 Comments