Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Oct. 21, 2024, 9:54 a.m.

Tags
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
External References
Description

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersonate various online services, including Facebook, Google Chrome, and reCAPTCHA. On Windows, the attack deploys StealC and Rhadamanthys stealers, while macOS users are targeted with the Atomic stealer. The tactic evades detection by having users manually run the malicious code. Two traffers groups, Slavic Nation Empire and Scamquerteo, are attributed to this campaign, suggesting shared materials and infrastructure.

Date

Published: Oct. 18, 2024, 2:09 p.m.

Created: Oct. 18, 2024, 2:09 p.m.

Modified: Oct. 21, 2024, 9:54 a.m.

Attack Patterns

Atomic

StealC

Rhadamanthys

T1059.001

T1012

T1114

T1087

T1113

T1005

T1547

T1082

T1083

T1055

T1036

T1204

T1056

T1566