October 17, 2024 at 05:04PM
The ClickFix campaign, emerging in May, lures users to fake Google Meet pages leading to malware infections via fraudulent connectivity errors. It has evolved to target firms with phishing tactics and impersonates legitimate tools. Two threat groups, SNE and Scamquerteo, are behind this rise in cyberattacks, exposing various malware risks.
**Meeting Takeaways: ClickFix Campaign Overview**
1. **Campaign Description**:
– The ClickFix campaign is a social-engineering tactic that directs users to fraudulent Google Meet conference pages designed to distribute info-stealing malware for both Windows and macOS operating systems.
2. **Background**:
– First reported by Proofpoint in May, this campaign is attributed to threat actor group TA571, which previously used similar tactics with impersonation messages for various applications like Google Chrome, Microsoft Word, and OneDrive.
3. **Malware Impact**:
– The campaign has infected systems with various malware types, including DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
– Increased frequency reported by McAfee in July, particularly in the United States and Japan.
4. **Evolution of Campaigns**:
– A recent report from Sekoia indicates that ClickFix has evolved to use Google Meet as a lure, alongside phishing emails targeting logistics firms and deceptive online platforms.
– Involvement of two threat groups: Slavic Nation Empire (SNE) and Scamquerteo, linked to larger cryptocurrency scam operations.
5. **Mechanism of Attack**:
– Attackers send emails that mimic legitimate Google Meet invitations, directing victims to URLs that closely resemble actual Google Meet links.
– Victims encounter fake technical error messages prompting them to click on “Try Fix,” which leads to a malware infection process involving PowerShell.
6. **Payload Details**:
– On Windows systems, the infection results in info-stealing malware like Stealc or Rhadamanthys.
– For macOS, the malware manifests as a .DMG file named ‘Launcher_v194’, delivering the AMOS Stealer.
7. **Related Threats**:
– Sekoia has identified additional malware distribution channels beyond Google Meet, including other virtual meeting platforms, PDF readers, fake video games, Web3 applications, and messaging services.
**Action Items/Recommendations**:
– Increase awareness and training regarding these phishing tactics, especially concerning virtual meeting invitations.
– Ensure cybersecurity measures are in place to detect and prevent such malware infections.