Fake Google Meet conference errors push infostealing malware

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,740
6
81,371
8,389
54
The Netherlands
Content source
https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/
A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems.

ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive.

The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt.

Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
Click to expand...
Sekoia has identified several other malware distribution clusters in addition to Google Meet, including Zoom, PDF readers, fake video games (Lunacy, Calipso, Battleforge, Ragon), web3 browsers and projects (NGT Studio), and messenger apps (Nortex).
Click to expand...
www.bleepingcomputer.com

Fake Google Meet conference errors push infostealing malware

A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: simmerskool, Andy Ful and harlan4096
This attack vector can be dangerous for inexperienced users. The malicious code is executed outside the web browser via CmdLine, similar to a shortcut attack.
The attack can be done filelessly.
Such attacks are not especially dangerous for cautious users. Anyway, this attack vector can be easily prevented by blocking the Run option in Explorer:

1. System wide:
Code: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000001

2. Per user only:
Code: 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000001

Warning.
This policy will block another possible attack by opening Windows Explorer via the Windows logo key + E and pasting the malicious CmdLine into the Address bar.
Of course, the user will not be able to use this method for benign actions like running an application by pasting the application path into Explorer's Address bar (most people do not use this at all).
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Gandalf_The_Grey and harlan4096
You must log in or register to reply here.

You may also like...