Security News Fake Google Meet conference errors push infostealing malware

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,367
A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems.

ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive.

The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt.

Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
Sekoia has identified several other malware distribution clusters in addition to Google Meet, including Zoom, PDF readers, fake video games (Lunacy, Calipso, Battleforge, Ragon), web3 browsers and projects (NGT Studio), and messenger apps (Nortex).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,544
This attack vector can be dangerous for inexperienced users. The malicious code is executed outside the web browser via CmdLine, similar to a shortcut attack.
The attack can be done filelessly.
Such attacks are not especially dangerous for cautious users. Anyway, this attack vector can be easily prevented by blocking the Run option in Explorer:

1. System wide:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000001

2. Per user only:
Code:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000001

Warning.
This policy will block another possible attack by opening Windows Explorer via the Windows logo key + E and pasting the malicious CmdLine into the Address bar.
Of course, the user will not be able to use this method for benign actions like running an application by pasting the application path into Explorer's Address bar (most people do not use this at all).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top