Cybercriminals are exploiting fake Google Meet web pages in an ongoing malware campaign called ClickFix to deploy infostealers targeting both Windows and macOS systems.
“By presenting fake error messages within web browsers, attackers trick users into copying and executing malicious PowerShell scripts, leading to system infection,” French cybersecurity firm Sekoia revealed in a report.
Recent months have seen numerous variations of the ClickFix campaign (also referred to as ClearFake and OneDrive Pastejacking), where attackers use different methods to lure victims to fraudulent pages. These sites then prompt users to run encoded PowerShell commands, allegedly to resolve browser content display issues, but in reality, it initiates malware downloads.
These fake pages often impersonate popular online platforms, such as Facebook, Google Chrome, PDFSimpli, reCAPTCHA, and now Google Meet, with potential to spoof Zoom as well:
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
On Windows systems, this attack chain leads to the deployment of StealC and Rhadamanthys stealers, while macOS users are targeted with a malicious disk image file (“Launcher_v1.94.dmg”) that installs the Atomic stealer.
This innovative social engineering approach stands out because it bypasses security detection, as users manually run the harmful PowerShell commands in the terminal, rather than having the malware automatically executed by a downloaded payload.
Sekoia has linked the group impersonating Google Meet to two traffer teams: Slavic Nation Empire (also known as Slavice Nation Land) and Scamquerteo, which function as subgroups within the larger operations of markopolo and CryptoLove, respectively.
“Both traffer teams […] utilize the same ClickFix template mimicking Google Meet,” Sekoia said. “This finding indicates that these groups likely share resources, referred to as the ‘landing project,’ along with infrastructure.”
This discovery suggests the possibility that both threat actors are leveraging the same unknown cybercrime service, with a third party possibly managing their infrastructure behind the scenes.
This development coincides with the rise of malware campaigns deploying the open-source ThunderKitty stealer, which shares similarities with Skuld and Kematian Stealer, alongside newly identified stealer families such as Divulge, DedSec (also known as Doenerium), Duck, Vilsa, and Yunit.
“The proliferation of open-source infostealers marks a major shift in the cyber threat landscape,” cybersecurity firm Hudson Rock noted in July 2024.
“By lowering the entry barriers and accelerating innovation, these tools could drive a surge in computer infections, creating challenges for cybersecurity professionals and heightening risks for both businesses and individuals.”
Source: TheHackerNews
