- Attackers use fake Zoom domain to distribute malware
- Malicious software steals crypto wallet credentials
- On-chain analysis traces stolen funds through multiple exchanges
A sophisticated phishing operation targeting cryptocurrency holders has emerged, using convincingly crafted Zoom meeting invitations as its vector of attack. The campaign, uncovered by SlowMist’s security team, demonstrates how hackers are leveraging the widespread use of video conferencing platforms to distribute malware capable of stealing substantial crypto assets.
The Russian Connection With Zoom Meeting Scam
Analysis of the attack infrastructure reveals troubling sophistication in both planning and execution. The hackers, believed to be of Russian origin based on language patterns found in their monitoring logs, have been actively targeting victims since November 14. Their carefully constructed domain “app[.]us4zoom[.]us” serves as a convincing facade for distributing malicious software disguised as a Zoom client installer.
Beware of phishing attacks disguised as Zoom meeting links!
Hackers collect user data and decrypt it to steal sensitive info like mnemonic phrases and private keys. These attacks often combine social engineering and trojan techniques. Read our full analysis
… pic.twitter.com/kDExVZNUbv
— SlowMist (@SlowMist_Team) December 27, 2024
The malware’s capabilities are extensive and methodical. Upon execution, it collects a wide range of sensitive data, including system information, browser data, cryptocurrency wallet credentials, and Telegram communications. This information is then transmitted to a command-and-control server located in the Netherlands. The attackers’ sophistication is further evidenced by their use of encrypted scripts and complex data exfiltration methods.
The financial impact has been substantial, with on-chain analysis revealing over $1 million in stolen assets. Using MistTrack, investigators traced the flow of funds through multiple addresses and exchanges, including conversions to ETH and subsequent transfers through platforms like ChangeNOW, MEXC, and Gate.io.
This incident serves as a stark reminder of the evolving sophistication of crypto-targeting malware and the importance of verifying software sources, even when they appear to come from trusted platforms. The ability of attackers to leverage familiar business tools like Zoom highlights the ongoing need for vigilance in the cryptocurrency space.
