Fraudulent Google Meet Pages Spread Infostealers in ClickFix Scheme

SeniorTechInfo
3 Min Read

Oct 18, 2024Ravie LakshmananThreat Intelligence / Phishing Attack

Threat actors are capitalizing on fake Google Meet web pages in an ongoing malware campaign called ClickFix to distribute infostealers targeting Windows and macOS systems.

“This scheme involves displaying fake error messages in web browsers to trick users into copying and executing a malicious PowerShell code, ultimately infecting their systems,” disclosed French cybersecurity firm Sekoia in a report shared with The Hacker News.

Variations of the ClickFix campaign have been spotted widely in recent months, with threat actors using different baits to redirect users to phony pages aiming to deploy malware by persuading site visitors to run an encoded PowerShell code to address a purported issue with displaying content in the web browser.

Cybersecurity

These fake pages impersonate popular online services like Facebook, Google Chrome, PDFSimpli, reCAPTCHA, and now Google Meet, potentially including Zoom. Some known domains used in these attacks are:

  • meet.google.us-join[.]com
  • meet.googie.com-join[.]us
  • meet.google.com-join[.]us
  • meet.google.web-join[.]com
  • meet.google.webjoining[.]com
  • meet.google.cdm-join[.]us
  • meet.google.us07host[.]com
  • googiedrivers[.]com
  • us01web-zoom[.]us
  • us002webzoom[.]us
  • web05-zoom[.]us
  • webroom-zoom[.]us

In the Windows attack chain, StealC and Rhadamanthys stealers are deployed, while Apple macOS users receive a booby-trapped disk image file (“Launcher_v1.94.dmg”) that drops another stealer named Atomic.

This new social engineering tactic evades detection by security tools as it requires users to manually run the malicious PowerShell command in the terminal, instead of it being automatically executed by a downloaded payload.

Fake Google Meet

Sekoia has linked the cluster mimicking Google Meet to two traffers groups, Slavic Nation Empire (also known as Slavice Nation Land) and Scamquerteo, sub-teams within markopolo and CryptoLove, respectively.

“Both traffers teams utilize the same ClickFix template impersonating Google Meet. This find indicates that these teams share materials, including ‘landing projects’ and infrastructure,” Sekoia noted.

This discovery hints at the possibility that both threat groups are utilizing the same yet-unknown cybercrime service, with a third-party likely managing their infrastructure.

Cybersecurity

The rise of malware campaigns distributing open-source infostealers such as ThunderKitty, Skuld, Kematian Stealer, and new families like Divulge, DedSec, Duck, Vilsa, and Yunit, signifies a significant shift in the cyber threat landscape. These tools, being open-source, can potentially fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing risks for businesses and individuals, as stated by cybersecurity company Hudson Rock.

Enjoyed reading this article? Follow us on Twitter and LinkedIn for more exclusive content.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *