ClickFix Leveraging GMeet And Zoom Pages To Deliver Infostealer Malware


A sophisticated social engineering tactic dubbed “ClickFix” has emerged as a significant cybersecurity threat, exploiting fake Google Meet and Zoom conference pages to distribute malicious software.

First identified in May 2024, this deceptive scheme has already gained traction among various threat actors, including the notorious APT28 group. The attack methodology is remarkably consistent across different variants.

SIEM as a Service

Victims are presented with fraudulent error messages on what appears to be legitimate video conferencing platforms, complete with fake microphone and headset problems.

Users are then guided through seemingly innocent steps that ultimately compromise their systems.

Sekoia Threat Detection & Research observed that the infection begins when users are instructed to press “Windows + R” to open the Run command dialog box, followed by “Ctrl + V” to paste malicious code secretly copied to their clipboard via JavaScript.

The final step involves pressing “Enter,” which executes the malicious command, typically using PowerShell or Mshta to download and deploy the payload.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

What makes ClickFix particularly dangerous is its clever use of Windows Explorer as the parent process, making the malicious activity appear more legitimate and harder to detect.

Clickfix infection Routine (Source : Sekoia)

The attack chain varies between operating systems, with macOS users being targeted with direct downloads of the Amos Stealer malware, while Windows users face more complex infection routines.

The Windows infection chain typically follows two main scenarios. In the first, the attack utilizes mshta commands to execute malicious code, while the second employs PowerShell scripts.

Both methods ultimately lead to the download and execution of infostealer malware.

Security researchers have observed that the attack infrastructure includes several components:

  • Fake video conferencing pages that closely mimic legitimate platforms
  • Sophisticated JavaScript code that manipulates the system clipboard
  • Multiple command-and-control servers for payload delivery
  • Advanced evasion techniques to avoid detection

The threat has become so significant that CERT UA has issued a formal report linking some of these attacks to APT28, indicating state-level threat actors are now incorporating this technique into their arsenal.

To protect against ClickFix attacks, organizations are advised to:

  • Implement robust endpoint detection and response (EDR) solutions.
  • Monitor for suspicious PowerShell and mshta.exe activities.
  • Deploy network-level detection mechanisms.
  • Educate users about best practices for video conferencing security.

This emerging threat highlights the evolving nature of social engineering attacks and their increasing sophistication in mimicking legitimate services.

As ClickFix continues to evolve and gain adoption among various threat actors, security teams must remain vigilant and adapt their detection and prevention strategies accordingly.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Source link