ClickFix tactic: The Phantom Meet

Oct. 18, 2024, 4:26 p.m.

Description

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems, spreading infostealers like Stealc, Rhadamanthys, and AMOS Stealer. The operation is linked to cybercrime groups 'Slavic Nation Empire' and 'Scamquerteo', sub-teams of larger cryptocurrency scam organizations. The report details the infection chain, infrastructure, and provides insights into the broader malware distribution ecosystem associated with these threat actors.

External References

https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
https://otx.alienvault.com/pulse/6712853de72c457312a3336b
Tags
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet

Date

  • Created: Oct. 18, 2024, 3:56 p.m.
  • Published: Oct. 18, 2024, 3:56 p.m.
  • Modified: Oct. 18, 2024, 4:26 p.m.

Indicators

  • nortexmessenger.digital
  • nortexapp.digital
  • nortex.limited
  • nortex.digital
  • mordex.digital
  • a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c
  • 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe
  • 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5
  • 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
  • 95.182.97.58
  • 85.209.11.155
  • 77.221.157.170
  • https://webapizmland.com/api/cmdruned
  • https://us18web-zoom.us/stealc.exe
  • https://us18web-zoom.us/ram.exe
  • https://meet.google.webjoining.com/exw-jfaj-hpa
  • https://meet.google.us07host.com/coc-btru-ays
  • https://meet.google.us-join.com/ywk-batf-sfh
  • https://meet.google.com-join.us/wmq-qcdn-orj
  • https://googIedrivers.com/fix-error
  • https://carolinejuskus.com/kusaka.php?call=launcher
  • https://carolinejuskus.com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?call=launcher
  • http://95.182.97.58/84b7b6f977dd1c65.php
  • http://85.209.11.155/joinsystem
  • http://77.221.157.170:3004/server.js
  • meet.google.webjoining.com
  • meet.google.web-join.com
  • meet.google.us07host.com
  • meet.google.us-join.com
  • meet.google.com-join.us
  • meet.google.cdm-join.us
  • meet.googie.com-join.us
  • worldcozy.com
  • webroom-zoom.us
  • webapizmland.com
  • webjoining.com
  • web3dev.buzz
  • web05-zoom.us
  • veriscroll.com
  • verdascript.com
  • utv4fun.com
  • us95web-zoom.us
  • us85web-zoom.us
  • us80web-zoom.us
  • us77web-zoom.us
  • us6web-zoom.us
  • us70web-zoom.us
  • us60web-zoom.us
  • us5web-zoom.us
  • us55web.us
  • us555web-zoom.us
  • us50web.us
  • us50web-zoom.us
  • us505web-zoom.us
  • us500web-zoom.us
  • us4web-zoom.us
  • us45web-zoom.us
  • us40web.us
  • us40web-zoom.us
  • us30web-zoom.us
  • us18web-zoom.us
  • us20web.us
  • us15web.us
  • us12web.us
  • us10web-zoom.us
  • us09web.us
  • us08web.us
  • us09web-zoom.us
  • us08web-zoom.us
  • us07web-zoom.us
  • us055web-zoom.us
  • us050web-zoom.us
  • us03web.us
  • us03web-zoom.us
  • us01web.us
  • us01web-zoom.us
  • us008web-zoom.us
  • us007web-zoom.us
  • us006web-zoom.us
  • us005web-zoom.us
  • us004web-zoom.us
  • us003webzoom.us
  • us002webzoom.us
  • ultimateplay.xyz
  • ultimategame.xyz
  • tooldream.live
  • thewatch.com
  • thecalipsoproject.com
  • stonance.com
  • sleipnirbrowser.xyz
  • sleipnirbrowser.org
  • projectcalipso.com
  • playultimate.xyz
  • playbattleforge.xyz
  • playbattleforge.org
  • phperl.com
  • patrickcateman.com
  • pakoyayinlari.com
  • nortexmessenger.us
  • nortexmessenger.pro
  • nortexmessenger.blog
  • nortexapp.xyz
  • nortexapp.pro
  • nortexapp.me
  • nortexapp.io
  • nortexapp.com
  • nortex.uk
  • nortex.lol
  • nortex.life
  • nortex.blog
  • nortex-app.xyz
  • nortex-app.us
  • nortex-app.pro
  • nort-ex.world
  • nort-ex.lol
  • nort-ex.eu
  • nor-tex.xyz
  • nor-tex.world
  • nor-tex.pro
  • nor-tex.eu
  • nightstudioweb.xyz
  • nightstudio.io
  • night-support.xyz
  • ngtverse.org
  • ngtstudio.online
  • ngtstudio.io
  • ngtproject.com
  • ngtmetaweb.com
  • ngtmetaland.io
  • ngtmeta.io
  • myultimate.xyz
  • mybattleforge.xyz
  • mordex.homes
  • mordex.blog
  • mor-dex.world
  • modoodeul.com
  • missingfrontier.com
  • mishapagerealty.com
  • mensadvancega.com
  • mdalies.com
  • lunacy4.com
  • lunacy3.com
  • lirelasuisse.com
  • lastnuggets.com
  • kansaskollection.com
  • iloanshop.com
  • googiedrivers.com
  • gamascript.com
  • fatoreader.net
  • fatoreader.com
  • doculuma.com
  • dekhke.com
  • darkblow.com
  • cphoops.com
  • cozyworld.io
  • cozyweb3.com
  • cozymeta.fun
  • cozymeta.xyz
  • cozymeta.com
  • cautrucanhtuan.com
  • cozyland.xyz
  • carolinejuskus.com
  • bowerchalke.com
  • calipsoproject.com
  • battleultimate.xyz
  • argongame.com
  • battleforge.cc
  • apunanwu.com
  • alienmanfc6.com
  • riotrevelry.com
  • nightpredators.com
Download all indicators here!

Attack Patterns

  • AMOS Stealer
  • StealC
  • Rhadamanthys
  • Slavic Nation Empire

Additional Informations

  • Poland