July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple WordPress Plugins Vulnerabilities
October 18, 2024North Korea-Linked Konni APT Group – Active IOCs
October 18, 2024Multiple WordPress Plugins Vulnerabilities
October 18, 2024North Korea-Linked Konni APT Group – Active IOCs
October 18, 2024
Severity
High
Analysis Summary
Users are being lured by a new ClickFix campaign to phony Google Meet conference pages that appear to be experiencing connectivity issues. These pages then download malware that steals personal information from Windows and macOS users.
A threat actor (TA571) utilized messages that looked like issues for Google Chrome, Microsoft Word, and OneDrive to release the social engineering technique ClickFix in May. The victim's solution to the errors was to copy some PowerShell code to the clipboard and run it in Windows Command Prompt to resolve the problems. As a result, victims would infect systems with a variety of malware, including Lumma Stealer, XMRig, Amadey Loader, DarkGate, and Matanbuchus.
According to a July analysis, ClickFix campaigns were growing more common, particularly in Japan and the United States. According to a recent report, ClickFix operations have changed considerably over time. They now make use of phony Facebook pages, phishing emails directed at logistics and transportation companies, Google Meet lures, and false GitHub issues. The researchers say that two threat groups, Slavic Nation Empire (SNE) and Scamquerteo, which are thought to be branches of the cryptocurrency scam gangs Marko Polo and CryptoLove, are behind some of the more recent campaigns.
The threat actors are creating phony websites for Google Meet, a popular video chat tool included in the Google Workspace suite that is used for online collaboration, webinars, and virtual meetings in business settings. Attackers would send victims emails posing as official Google Meet invitations for conferences, work meetings, or other significant events. The URLs seem a lot like real Google Meet links. When the victim lands on the fraudulent website, a pop-up alert alerting them to a technical problem—like a malfunctioning microphone or headset—occurs.
When users click "Try Fix," a typical ClickFix infection procedure launches, infecting their machine with malware by obtaining the payload from the 'googiedrivers[.]com' domain using PowerShell code that was obtained from the website and inserted on the Windows prompt. The last payloads are Windows versions of the info-stealing malware Rhadamanthys or Stealc. The threat actor drops the AMOS Stealer on a macOS computer 'Launcher_v194' .DMG (Apple disk image) file
In addition to Google Meet, researchers have discovered several other malware dissemination clusters, such as PDF readers, web3 browsers and projects (NGT Studio), Zoom, phony video games (Lunacy, Calipso, Battleforge, Ragon), and messaging programs (Nortex).
Impact
- Sensitive Data Theft
- Cryptocurrency Theft
- Financial Loss
Indicators of Compromise
Domain Name
- meet.google.us-join.com
- meet.googie.com-join.us
- meet.google.com-join.us
- meet.google.web-join.com
- meet.google.webjoining.com
- meet.google.cdm-join.us
- meet.google.us07host.com
- googiedrivers.com
IP
- 77.221.157.170
- 95.182.97.58
- 91.103.140.200
- 85.209.11.155
MD5
- acfba6ff2e80e0ebc80df9e7d326337c
- 0ba52a085647724ae6b56e29bab4af6e
- ba0767946d9cac95fd727d7076c7fec1
- 6bee9adb58a318a61a3af447b31c7f3e
SHA-256
- 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
- a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c
- 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe
- 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5
SHA-1
- fe28d5756815fdac31a744a2f11c075f5b1892bc
- 1ee26f6cb803f456ba019ebae8eb818f0e48a962
- 31c713eabc90f61b44703a8d30e7ced6e2941f23
- bc6587212e27111770ec0e61b735c7b527186c1b
URL
- https://meet.google.com-join.us/wmq-qcdn-orj
- https://meet.google.us-join.com/ywk-batf-sfh
- https://meet.google.us07host.com/coc-btru-ays
- https://meet.google.webjoining.com/exw-jfaj-hpa
- https://googiedrivers.com/fix-error
- https://carolinejuskus.com/kusaka.php?call=launcher
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Be vigilant when downloading software and double-check the URL to see if it is legitimate.
- Never download software from untrusted sources.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.