ClickFix tactic: The Phantom Meet
Oct. 18, 2024, 4:26 p.m.
Tags
External References
Description
This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems, spreading infostealers like Stealc, Rhadamanthys, and AMOS Stealer. The operation is linked to cybercrime groups 'Slavic Nation Empire' and 'Scamquerteo', sub-teams of larger cryptocurrency scam organizations. The report details the infection chain, infrastructure, and provides insights into the broader malware distribution ecosystem associated with these threat actors.
Date
Published: Oct. 18, 2024, 3:56 p.m.
Created: Oct. 18, 2024, 3:56 p.m.
Modified: Oct. 18, 2024, 4:26 p.m.
Indicators
nortexmessenger.digital
nortexapp.digital
nortex.limited
nortex.digital
mordex.digital
a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c
2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe
94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5
92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
95.182.97.58
85.209.11.155
77.221.157.170
https://webapizmland.com/api/cmdruned
https://us18web-zoom.us/stealc.exe
https://us18web-zoom.us/ram.exe
https://meet.google.webjoining.com/exw-jfaj-hpa
https://meet.google.us07host.com/coc-btru-ays
https://meet.google.us-join.com/ywk-batf-sfh
https://meet.google.com-join.us/wmq-qcdn-orj
https://googIedrivers.com/fix-error
https://carolinejuskus.com/kusaka.php?call=launcher
https://carolinejuskus.com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?call=launcher
http://95.182.97.58/84b7b6f977dd1c65.php
http://85.209.11.155/joinsystem
http://77.221.157.170:3004/server.js
meet.google.webjoining.com
meet.google.web-join.com
meet.google.us07host.com
meet.google.us-join.com
meet.google.com-join.us
meet.google.cdm-join.us
meet.googie.com-join.us
worldcozy.com
webroom-zoom.us
webapizmland.com
webjoining.com
web3dev.buzz
web05-zoom.us
veriscroll.com
verdascript.com
utv4fun.com
us95web-zoom.us
us85web-zoom.us
us80web-zoom.us
us77web-zoom.us
us6web-zoom.us
us70web-zoom.us
us60web-zoom.us
us5web-zoom.us
us55web.us
us555web-zoom.us
us50web.us
us50web-zoom.us
us505web-zoom.us
us500web-zoom.us
us4web-zoom.us
us45web-zoom.us
us40web.us
us40web-zoom.us
us30web-zoom.us
us18web-zoom.us
us20web.us
us15web.us
us12web.us
us10web-zoom.us
us09web.us
us08web.us
us09web-zoom.us
us08web-zoom.us
us07web-zoom.us
us055web-zoom.us
us050web-zoom.us
us03web.us
us03web-zoom.us
us01web.us
us01web-zoom.us
us008web-zoom.us
us007web-zoom.us
us006web-zoom.us
us005web-zoom.us
us004web-zoom.us
us003webzoom.us
us002webzoom.us
ultimateplay.xyz
ultimategame.xyz
tooldream.live
thewatch.com
thecalipsoproject.com
stonance.com
sleipnirbrowser.xyz
sleipnirbrowser.org
projectcalipso.com
playultimate.xyz
playbattleforge.xyz
playbattleforge.org
phperl.com
patrickcateman.com
pakoyayinlari.com
nortexmessenger.us
nortexmessenger.pro
nortexmessenger.blog
nortexapp.xyz
nortexapp.pro
nortexapp.me
nortexapp.io
nortexapp.com
nortex.uk
nortex.lol
nortex.life
nortex.blog
nortex-app.xyz
nortex-app.us
nortex-app.pro
nort-ex.world
nort-ex.lol
nort-ex.eu
nor-tex.xyz
nor-tex.world
nor-tex.pro
nor-tex.eu
nightstudioweb.xyz
nightstudio.io
night-support.xyz
ngtverse.org
ngtstudio.online
ngtstudio.io
ngtproject.com
ngtmetaweb.com
ngtmetaland.io
ngtmeta.io
myultimate.xyz
mybattleforge.xyz
mordex.homes
mordex.blog
mor-dex.world
modoodeul.com
missingfrontier.com
mishapagerealty.com
mensadvancega.com
mdalies.com
lunacy4.com
lunacy3.com
lirelasuisse.com
lastnuggets.com
kansaskollection.com
iloanshop.com
googiedrivers.com
gamascript.com
fatoreader.net
fatoreader.com
doculuma.com
dekhke.com
darkblow.com
cphoops.com
cozyworld.io
cozyweb3.com
cozymeta.fun
cozymeta.xyz
cozymeta.com
cautrucanhtuan.com
cozyland.xyz
carolinejuskus.com
bowerchalke.com
calipsoproject.com
battleultimate.xyz
argongame.com
battleforge.cc
apunanwu.com
alienmanfc6.com
riotrevelry.com
nightpredators.com
Attack Patterns
AMOS Stealer
StealC
Rhadamanthys
Slavic Nation Empire
T1584.001
T1588.001
T1583.001
T1059.005
T1059.001
T1105
T1071
T1204
T1566
Additional Informations
Poland