ClickFix tactic: The Phantom Meet

Oct. 18, 2024, 4:26 p.m.

Tags
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
External References
Description

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems, spreading infostealers like Stealc, Rhadamanthys, and AMOS Stealer. The operation is linked to cybercrime groups 'Slavic Nation Empire' and 'Scamquerteo', sub-teams of larger cryptocurrency scam organizations. The report details the infection chain, infrastructure, and provides insights into the broader malware distribution ecosystem associated with these threat actors.

Date

Published: Oct. 18, 2024, 3:56 p.m.

Created: Oct. 18, 2024, 3:56 p.m.

Modified: Oct. 18, 2024, 4:26 p.m.

Indicators

nortexmessenger.digital

nortexapp.digital

nortex.limited

nortex.digital

mordex.digital

a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c

2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe

94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5

92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138

95.182.97.58

85.209.11.155

77.221.157.170

https://webapizmland.com/api/cmdruned

https://us18web-zoom.us/stealc.exe

https://us18web-zoom.us/ram.exe

https://meet.google.webjoining.com/exw-jfaj-hpa

https://meet.google.us07host.com/coc-btru-ays

https://meet.google.us-join.com/ywk-batf-sfh

https://meet.google.com-join.us/wmq-qcdn-orj

https://googIedrivers.com/fix-error

https://carolinejuskus.com/kusaka.php?call=launcher

https://carolinejuskus.com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?call=launcher

http://95.182.97.58/84b7b6f977dd1c65.php

http://85.209.11.155/joinsystem

http://77.221.157.170:3004/server.js

Download all indicators here!

Attack Patterns

AMOS Stealer

StealC

Rhadamanthys

Slavic Nation Empire

T1584.001

T1588.001

T1583.001

T1059.005

T1059.001

T1105

T1071

T1204

T1566

Additional Informations

Poland