Russian hackers use Zoom link to steal crypto in new phishing scheme

Russian hackers are stealing crypto assets from unsuspecting crypto users with a new phishing scheme that uses fake Zoom links.

Blockchain security firm, SlowMist reported the new scheme on 27 December, saying that the hackers use sophisticated techniques to steal private keys, wallet data, and other sensitive information they can use to steal crypto assets.

How it works

The scammers use a fake Zoom link that resembles an authentic one. However upon clicking on the launch button, it does not open a Zoom application, but starts to download a malicious installation package called “ZoomApp_v.3. 14. Dmg.”

The package then runs a script called “ZoomApp.file” that asks users to put in their system password, which then results in the theft of assets.

One of the victims, an X user reported the loss of assets worth millions of dollars, which drew the attention of SlowMist and the firm ran an analysis.

Based on their findings, the hackers trick users into executing the malicious installation package named ZoomApp_v.3.14.dmg and also prompts them to enter their system password and runs the execution content below.

After doing a static analysis, SlowMist found that the malicious package has a binary file  that ultimately executes a malicious ‘osascript’, which collects the user’s information and sends it to the backend using a code in the image below.

The firm also found that the website was deployed only 27 days ago, and the hackers are likely Russian since the website attempts to send messages via the Telegram API in Russian. 

Call for caution

The crypto industry has a bad reputation, partly because of the rampant scams that characterize the space.

Such scams are also more common during crypto bull markets because the scammers know that several crypto newbies enter the space at the time and may not recognize scams when they see them.

Phishing scams are among the most common of the scams, and the way to avoid it is to not click on any link until verified to be genuine.