A new wave of cyberattacks dubbed “ClickFix” has been uncovered by cybersecurity experts at Sekoia, targeting Windows and macOS users through fake Google Meet pages. This sophisticated campaign poses a significant threat to corporate security, especially in the context of increased remote work adoption.
Understanding the ClickFix Attack Mechanism
ClickFix, also known as ClearFake or OneDrive Pastejacking, employs advanced social engineering tactics. Cybercriminals send victims emails masquerading as Google Meet invitations for business meetings. When users click the link, they’re directed to a convincing but fraudulent page reporting a technical issue, such as microphone problems.
The attackers then persuade victims to manually copy and execute malicious PowerShell code, ostensibly to resolve the issue. In reality, this code downloads and installs dangerous malware onto the victim’s device, compromising their security.
Target Sectors and Malware Distribution
Research indicates that ClickFix attacks primarily focus on transportation and logistics companies. This targeting strategy likely stems from these industries’ critical role in the global economy and the potential high value of stolen data.
Windows users fall victim to the installation of StealC and Rhadamanthys infostealers, while macOS users are prompted to download a malicious disk image containing the Atomic stealer.
Identifying Phishing Domains
Sekoia experts have identified several suspicious domains used in this campaign. These domains often mimic legitimate Google Meet URLs, such as:
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.web-joining[.]com
It’s crucial to note that genuine Google Meet URLs always end with “google.com” without additional elements.
Links to Known Hacking Groups
Sekoia analysts have connected this campaign to two hacking groups: Slavic Nation Empire (also known as Slavice Nation Land) and Scamquerteo. Both groups are subdivisions of larger collectives: markopolo and CryptoLove.
Researchers speculate that these groups may be utilizing shared infrastructure and materials for creating phishing pages. This suggests the possible existence of a previously unknown hacking service providing tools for such attacks.
Implications for Cybersecurity
The ClickFix campaign underscores the evolving sophistication of cyberattacks and the critical need for constant vigilance. Organizations are strongly advised to enhance employee cybersecurity training, with a particular focus on recognizing phishing emails and suspicious web pages. Regular software updates and the use of robust anti-malware solutions remain key measures in combating these threats.
As cyber threats continue to evolve, it’s imperative for individuals and organizations alike to stay informed about the latest attack vectors and maintain a proactive stance on cybersecurity. By fostering a culture of security awareness and implementing robust defensive measures, we can collectively work towards mitigating the risks posed by sophisticated campaigns like ClickFix.
