Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems.
“This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems,” French cybersecurity company Sekoia said in a report shared with The Hacker News.
Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) campaign have been reported widely in recent months, with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser.
These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet as well as potentially Zoom –
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
On Windows, the attack chain culminates in the deployment of StealC and Rhadamanthys stealers, while Apple macOS users are served a booby-trapped disk image file (“Launcher_v1.94.dmg”) that drops another stealer known as Atomic.
This emerging social engineering tactic is notable for the fact that it cleverly evades detection by security tools, as it involves the users manually running the malicious PowerShell command directly on the terminal, as opposed to being automatically invoked by a payload downloaded and executed by them.
Sekoia has attributed the cluster impersonating Google Meet to two traffers groups, namely Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, which are sub-teams within markopolo and CryptoLove, respectively.
“Both traffers teams […] use the same ClickFix template that impersonates Google Meet,” Sekoia said. “This discovery suggests that these teams share materials, also known as ‘landing project,’ as well as infrastructure.”
This, in turn, has raised the possibility that both the threat groups are making use of the same, as-yet-unknown cybercrime service, with a third-party likely managing their infrastructure.
The development comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, as well as new stealer families named Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.
“The rise of open-source infostealers represents a significant shift in the world of cyber threats,” cybersecurity company Hudson Rock noted back in July 2024.
“By lowering the barrier of entry and fostering rapid innovation, these tools could fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals.”