Alert: Deceptive Google Meet Web Pages Distribute Infostealers in Ongoing ClickFix Campaign
Cybercriminals are exploiting counterfeit Google Meet web pages in an ongoing malware initiative named ClickFix to disseminate infostealers targeting Windows and macOS systems.
According to a report from the French cybersecurity organization Sekoia shared with The Hacker News, this strategy involves presenting fake error messages in web browsers to trick users into copying and executing a specific malicious PowerShell command, ultimately compromising their systems.
Diverse versions of the ClickFix (also known as ClearFake and OneDrive Pastejacking) campaign have been frequently documented in recent months, with malicious actors utilizing various baits to direct users to fraudulent pages that aim to install malware by persuading visitors to run an encoded PowerShell script to address an alleged web browser content display issue.
These deceptive pages pretend to be well-known online services such as Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, including Google Meet and potentially Zoom as well –
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
For Windows users, the attack sequence concludes with the introduction of StealC and Rhadamanthys stealers, while macOS users are delivered a contaminated disk image file named “Launcher_v1.94.dmg” that unleashes another stealer identified as Atomic.
This emerging social engineering technique is remarkable for its ability to evade detection by security solutions, as it involves users manually executing the malicious PowerShell command in the terminal instead of it being automatically triggered by a downloaded payload.
Sekoia has associated the group mimicking Google Meet with two traffers organizations, known as Slavic Nation Empire (also called Slavice Nation Land) and Scamquerteo, sub-divisions within markopolo and CryptoLove groups, respectively.
Sekoia mentioned, “Both traffers teams utilize the same ClickFix layout to impersonate Google Meet. This revelation indicates these teams share resources, also referred to as ‘landing project,’ and infrastructure.”
Subsequently, it is possible that both threat entities are utilizing a common, yet unspecified cybercrime service with a third-party likely managing their infrastructure.
This development coincides with the rise of malware campaigns circulating the open-source ThunderKitty stealer, which bears similarities with Skuld and Kematian Stealer, in addition to newly recognized stealer families such as Divulge, DedSec (also known as Doenerium), Duck, Vilsa, and Yunit.
“The emergence of openly-sourced infostealers represents a significant transition in the realm of cyber threats,” cybersecurity firm Hudson Rock stated in July 2024.
“By reducing entry barriers and fostering swift innovation, these tools may spur a fresh wave of computer infections, posing challenges for cybersecurity professionals and heightening overall risks for organizations and individuals.”
About Author
