Saturday, December 7, 2024
HomeCyber Security NewsClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

Published on

SIEM as a Service

A new tactic, “ClickFix,” has emerged. It exploits fake Google Meet and Zoom pages to deliver sophisticated malware.

The Sekoia Threat Detection & Research (TDR) team monitors this social engineering strategy closely. It represents a significant evolution in how threat actors deceive users into compromising their systems.

The ClickFix strategy involves displaying deceptive error messages on web browsers, prompting users to execute malicious commands.

- Advertisement - SIEM as a Service

These commands, often delivered via PowerShell scripts, ultimately infect users’ systems with malware.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The tactic is particularly concerning because it mimics legitimate video conferencing platforms, such as Google Meet and Zoom, widely used for business and personal communication.

ClickFix infection routine
ClickFix infection routine ( source: Sekoia )

How ClickFix Works

The infection process initiated by ClickFix is alarmingly straightforward. Users visiting the fake video conferencing pages are instructed to follow a series of seemingly innocuous steps:

  1. Error Message Displayed: A fake error message appears, suggesting a problem with the microphone or headset.
  2. User Action Required: Users are guided to press “Windows + R” to open the Run dialog box.
  3. Malicious Command Execution: Users are instructed to paste and execute a malicious command copied from the page, usually involving PowerShell scripts.

This method tricks users into running commands that download and execute malware, such as the Amos Stealer for macOS or other payloads for Windows systems.

The technique leverages the appearance of legitimacy by having the malicious command run under Explorer.exe, reducing the chance of detection by security software.

ClickFix cluster masquerading as a Google Meet page displaying a fake technical issue.
ClickFix cluster masquerading as a Google Meet page displaying a fake technical issue. (source: Sekoia)

There are several scenarios under which ClickFix can operate:

  • macOS Target: Users are deceived into downloading a .dmg file that executes the malware directly.
  • Windows Target: Two primary infection chains are used. One utilizes a malicious Mshta command, while the other employs PowerShell.

Each scenario exploits the user’s trust in familiar interfaces like Google Meet to initiate the malware delivery process.

Detecting ClickFix requires vigilance and understanding of typical behavioral patterns associated with these attacks. Key indicators include:

  • Process Monitoring: Detecting unusual parent-child process relationships, such as mshta.exe or bitsadmin.exe being initiated by Explorer.exe.
  • Network Activity: Monitoring for suspicious network requests made by processes like mshta.exe, which may use a default User-Agent string typical of Internet Explorer.

Organizations are advised to employ Endpoint Detection and Response (EDR) systems capable of identifying these patterns. Additionally, network logs from firewalls and proxies can provide valuable insights into potential compromises.

A significant aspect of ClickFix’s success lies in its use of legitimate Windows tools, a strategy known as “living off the land.”

By exploiting tools like bitsadmin.exe, attackers can bypass traditional security measures. This method emphasizes the need for organizations to maintain robust monitoring systems that can discern legitimate use from malicious activity.

The emergence of ClickFix highlights the evolving nature of cyber threats and the sophistication of social engineering tactics.

As threat actors continue to exploit trusted platforms like Google Meet and Zoom, users and organizations must remain vigilant.

Understanding the mechanics of these attacks and implementing comprehensive detection strategies can mitigate the risks posed by ClickFix and similar threats.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...