Alert essentials:
Recent ClickFix malware campaigns use fake Google Meet error pages to trick users into downloading malicious software, including keyloggers and data exfiltration tools.
Hackers have expanded this tactic to exploit popular platforms like Zoom and Facebook.
Detailed threat description:
In recent months, multiple malware distribution campaigns have leveraged the ClickFix lure to spread Windows and macOS infostealers, botnets, and remote access tools.
The ongoing ClickFix campaign recently began leveraging fake Google Meet error pages. These errors urge users to ‘fix’ issues and deceptively provide malicious downloads containing key loggers and data exfiltration tools.
Hackers send phishing emails that appear to be conference invitations with links directing users to fake Google Meet pages. Once at a hoax page, the victim receives a fake error message related to connectivity issues or audio and video trouble. Here, users are given a ‘Try Fix’ button, which redirects to a page with instructions on pasting PowerShell code into their computer.
As soon as the script is executed, the malware infiltrates the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.
The ongoing campaigns, attributed to groups like the Slavic Nation Empire and Scamquerteo, have evolved to exploit Google Meet and other popular applications like Zoom, Facebook, and PDF readers. Most recently, Qualys researchers report seeing similar activity leveraging CAPTCHA verification to download the payload in PowerShell.
A list of IoCs through GitHub is available in the links referenced below.
Security defenders are encouraged to stay current on IoCs, as these will expand with the continuation of attacks. Stay vigilant and follow the recommended mitigations to reduce system exploit outcomes drastically.
Impacts on healthcare organizations:
Hospitals work with many partners and suppliers who often have weak network security. Clicking on malicious links gives hackers access to sensitive patient and treatment information.
Help keep network data secure by verifying invitation origins before using a link to enter a conference.
Recommendations
Engineering recommendations:
- Limit the use of PowerShell to administrative users only, and implement logging to monitor for suspicious script execution
- Implement URL filtering to block access to known malicious domains like googiedrivers[.]com
- Regularly update threat intelligence feeds and domain blocks for similar impersonation URLs
- Deploy EDR solutions capable of detecting process hollowing techniques and abnormal PowerShell execution patterns, as well as tools to detect data exfiltration
- Implement robust email filtering to block phishing emails and malicious attachments
- Use web filtering solutions to prevent access to known malicious websites
- Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic
- Use network segmentation to limit the spread of malware within the organization
- Ensure all operating systems, software, and applications are updated with the latest security patches
- Continuously monitor and analyze system and network logs for signs of compromise
- Encrypt sensitive data both in transit and at rest to protect it from unauthorized access
Leadership/ Program recommendations:
- Educate staff on recognizing phishing attempts and fake software error messages
- Emphasize that reputable services will not ask users to run PowerShell commands to resolve issues
- Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources
- Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References: