Beware! Fake Google Meet Pages Are Tricking Users into Installing Infostealing Malware (0penBuckets)

Introduction

In the ever-evolving landscape of cyber threats, hackers are continually finding new ways to deceive users. The latest method involves fraudulent Google Meet conference pages that lure unsuspecting individuals into downloading malicious software. This blog post delves into how these fake meeting invites work, the tactics used, and the dangers they pose to both Windows and macOS users.

The Rise of ClickFix Campaigns: A Social Engineering Trap

Cybercriminals are utilizing a technique known as the ClickFix campaign to target users with fake Google Meet pages. ClickFix emerged in May, first identified by cybersecurity firm Proofpoint, and is attributed to a threat actor called TA571. Initially, this tactic involved creating fake error messages for popular applications like Google Chrome, Microsoft Word, and OneDrive. These errors prompted users to copy PowerShell code and run it in the Windows Command Prompt, unknowingly installing malware.

Evolving Threat: From Fake Errors to Google Meet Lures

Over time, the ClickFix campaign has evolved from basic application errors to more sophisticated lures using Google Meet. According to recent reports from Sekoia, a cybersecurity SaaS provider, these attacks now involve phishing emails that imitate Google Meet invitations, targeting users in sectors like transport and logistics. By creating a sense of urgency, these emails trick recipients into clicking on malicious links that lead them to deceptive websites.

The Fake Google Meet Strategy: How It Works

The attackers’ strategy is simple yet effective. Victims receive an email that looks like a legitimate Google Meet invite, complete with meeting details and links. The URLs mimic actual Google Meet addresses, using slight variations to fool the eye:

• meet[.]google[.]us-join[.]com
• meet[.]google[.]web-join[.]com
• meet[.]googie[.]com-join[.]us
• meet[.]google[.]cdm-join[.]us

Once on the fake site, users are confronted with a pop-up error message indicating a problem with their microphone or headset. The page then encourages them to click on a “Try Fix” button, initiating the ClickFix process. By copying and pasting the suggested PowerShell code into the Windows prompt, they unknowingly download and execute malware.

Unmasking the Malware: What’s Being Installed?

ClickFix campaigns don’t just use one type of malware; they deploy a variety of harmful software that can wreak havoc on a system. The payload includes notorious malware strains like:

• DarkGate: A remote access Trojan (RAT) that enables attackers to take control of infected systems.
• Matanbuchus: A loader that spreads other malware.
• NetSupport: A tool often abused for remote control.
• Amadey Loader: A Trojan downloader used to fetch additional malware.
• XMRig: Cryptocurrency mining software that exploits system resources.
• Lumma Stealer: An info-stealer that targets sensitive data like passwords and financial information.

For macOS users, the attacks drop a different type of malware called the AMOS Stealer, disguised as a disk image file named ‘Launcher_v194.’

Who’s Behind These Campaigns?

According to Sekoia, two cybercrime groups are heavily involved in this operation: the Slavic Nation Empire (SNE) and Scamquerteo, both believed to be offshoots of larger cryptocurrency scam gangs known as Marko Polo and CryptoLove. These groups have diversified their attack methods beyond Google Meet to target other platforms like Zoom, PDF readers, fake video games, and messenger apps.

Expanding the Attack Surface: More Than Just Google Meet

ClickFix campaigns aren’t limited to just Google Meet. These attackers are also exploiting vulnerabilities in other commonly used services and platforms. They’ve set up fake error pages for tools like Zoom, PDF readers, and even certain Web3 projects. Additionally, deceptive game files and GitHub issues have been used as malware delivery mechanisms.

How to Protect Yourself from These Deceptive Tactics

To safeguard against these evolving threats, it’s essential to remain vigilant and follow best practices for online security:

1. Verify Meeting Links: Always double-check the URLs in meeting invites. Genuine Google Meet links typically come from Google domains.
2. Avoid Running Unknown Code: Never copy and paste code from unfamiliar sources, especially if prompted by error messages.
3. Update Security Software: Keep your antivirus and malware protection software up to date to detect and block potential threats.
4. Educate Employees: Regularly train employees on the latest phishing tactics and how to spot suspicious emails or links.

Conclusion: Stay Alert, Stay Secure

Cybercriminals are continuously refining their methods to trick users into installing malware. The evolution of ClickFix campaigns shows just how adaptable these threat actors can be. By staying informed and cautious, you can avoid falling victim to these deceptive schemes and keep your data safe.