Security News Fake Google Meet conference errors push infostealing malware

Gandalf_The_Grey

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Content source
https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/
A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems.

ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive.

The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt.

Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
Click to expand...
Sekoia has identified several other malware distribution clusters in addition to Google Meet, including Zoom, PDF readers, fake video games (Lunacy, Calipso, Battleforge, Ragon), web3 browsers and projects (NGT Studio), and messenger apps (Nortex).
Click to expand...
www.bleepingcomputer.com

Fake Google Meet conference errors push infostealing malware

A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: simmerskool, Andy Ful and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
This attack vector can be dangerous for inexperienced users. The malicious code is executed outside the web browser via CmdLine, similar to a shortcut attack.
The attack can be done filelessly.
Such attacks are not especially dangerous for cautious users. Anyway, this attack vector can be easily prevented by blocking the Run option in Explorer:

1. System wide:
Code: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000001

2. Per user only:
Code: 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000001

Warning.
This policy will block another possible attack by opening Windows Explorer via the Windows logo key + E and pasting the malicious CmdLine into the Address bar.
Of course, the user will not be able to use this method for benign actions like running an application by pasting the application path into Explorer's Address bar (most people do not use this at all).
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Gandalf_The_Grey and harlan4096

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Malware News Fake Google Chrome errors trick you into running malicious PowerShell scripts
Replies
1
Views
1,885
Security News
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top