Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

October 18, 2024 at 07:00AM

Threat actors are using fake Google Meet pages in the ClickFix malware campaign to deliver infostealers for Windows and macOS. Users are tricked into executing malicious PowerShell commands through deceptive error messages. The campaign is linked to two groups, raising concerns about unknown cybercrime services facilitating these operations.

### Meeting Takeaways – Oct 18, 2024

**Topic:** Threat Intelligence / Phishing Attack – ClickFix Campaign

1. **Overview of ClickFix Campaign:**
– Ongoing malware attack utilizing fake Google Meet web pages.
– Targeting both Windows and macOS systems with infostealers.

2. **Mechanism of Attack:**
– Attackers display fake error messages to trick users into executing malicious PowerShell code.
– This method allows the malware to evade detection by standard security tools, as users manually execute the command.

3. **Variants and Known Lures:**
– Variants named ClickFix, ClearFake, and OneDrive Pastejacking reported.
– Similar approaches have been used to mimic other popular online services (e.g., Facebook, Google Chrome, PDFSimpli).

4. **Malicious URLs Identified:**
– Multiple deceptive domains for fake Google Meet pages highlighted, such as:
– meet.google.us-join[.]com
– meet.googie.com-join[.]us
– Other variants impersonating Zoom.

5. **Payload Specifics:**
– On Windows, malware deployed includes StealC and Rhadamanthys stealers.
– For macOS users, a harmful disk image file (“Launcher_v1.94.dmg”) drops the Atomic stealer.

6. **Perpetrators:**
– Attributed to two trafficking groups: Slavic Nation Empire and Scamquerteo, part of markopolo and CryptoLove respectively.
– Indications that these groups use shared resources and possibly a third-party service for their cyber infrastructure.

7. **Emerging Trends:**
– The rise of open-source infostealers (e.g., ThunderKitty) could lead to more widespread infections and complications for cybersecurity.
– New families of stealers detected, including Divulge, DedSec (Doenerium), Duck, Vilsa, and Yunit.

8. **Impact on Cybersecurity:**
– The evolution of these tactics and tools emphasizes the increasing risk for businesses and individuals, posing significant challenges to cybersecurity professionals.

**Follow-Up Actions:**
– Stay informed about the evolution of these threats.
– Review and enhance cybersecurity measures to protect against similar phishing tactics.
– Consider training sessions for employees on recognizing and responding to phishing attempts.

Full Article