marry 18.10.2024, 11:00 AM
Cyber security researchers from a French company Sekoya have warned of an increase in cyber attacks targeting users of the popular video conferencing platform Google Meet, during which attackers use the notorious “ClickFix” tactic. This tactic, which was first noticed in May 2024 by the cyber security company Proofpoint, involves impersonating legitimate software and services such as Google Chrome, Facebook or Google Meet, with the aim of tricking users into downloading malware.
This social engineering tactic was first used by attackers from the group TA571 who displayed fake error messages for Google Chrome, Microsoft Word and OneDrive to victims. Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig and Lumma Stealer.
According to Sekoia researchers, attackers are now sending emails that look like legitimate Google Meet invitations related to a business meeting or other important event. The links in these emails look very similar to real Google Meet links, but actually lead victims to fake pages, where a pop-up message appears notifying them of a technical problem. Fake error messages mimic legitimate Google Meet alerts, prompting users to click the “Fix It” button or take other actions. However, this way victims run code that installs data-stealing malware on the victim’s Windows or macOS device.
For Windows users, the bogus error message cites problems with the microphone or headphones, and prompts them to copy a script that downloads the Stealc and Rhadamanthys malware. macOS users tricked into downloading AMOS Stealer malware.
“Given the variety of initial malicious websites that redirect to this infrastructure, we estimate with high confidence that this is shared among multiple threat actors. They collaborate within a centralized Traffers team to share certain resources, including this infrastructure and AMOS Stealer, which is also sold as Malware-as-a-Service”the report states.
The investigation revealed that two cybercrime groups, “Slavic Nation Empire” (linked to the Marco Polo cryptocurrency scam team) and “Scamquerteo Team” (a subgroup of the CryptoLove cryptocurrency scam group), are likely behind this ClickFix cluster.
Both groups use the same ClickFix template with Google Meet, which means they share the same infrastructure and likely have a third party managing their infrastructure or registering their domains.
Malware delivered through these attacks include information-stealing malware, botnets, and remote access tools. They can steal sensitive data, compromise systems and enable further attacks.
In addition to Google Meet, Sekoia identified several other malware distribution clusters, including Zoom, PDF readers, fake video games (Lunacy, Calipso, Battleforge, Ragon), web3 browsers and projects (NGT Studio), and messaging apps (Nortex).
The ClickFix tactic is particularly dangerous because it bypasses traditional protection and security measures by not requiring users to download the file directly.
In July, McAfee warned that ClickFix campaigns had become common, particularly in the United States and Japan.
To protect yourself from ClickFix attacks, be wary of unexpected error messages, check scripts from unknown sources before copying them, use reliable antivirus software, be careful with links, and enable two-factor authentication as an extra layer of protection for your online accounts.
Source: www.informacija.rs
