Fake Google Meet Pages Spread Infostealing Malware

Cybercriminals are using counterfeit Google Meet websites as part of an ongoing malware campaign, known as ClickFix, to deliver information-stealing malware to both Windows and macOS users.

The strategy involves tricking users with fake error messages in their web browsers, prompting them to copy and run malicious PowerShell commands, ultimately leading to their systems being infected.

According to a report from a researcher, these attacks have been growing in frequency, with attackers using various fake websites to lure victims into running encoded PowerShell scripts under the guise of fixing browser display issues.

ClickFix, also referred to as ClearFake or OneDrive Pastejacking, has been observed across numerous platforms, including well-known services like Facebook, Google Chrome, and reCAPTCHA. Recently, the campaign has expanded to mimic Google Meet and possibly Zoom, using fake domains such as:

– meet.google.us-join[.]com
– meet.google.web-join[.]com
– us01web-zoom[.]us
– webroom-zoom[.]us

On Windows systems, this campaign delivers the StealC and Rhadamanthys infostealers, while macOS users are targeted with a malicious disk image file disguised as a legitimate launcher, which installs the Atomic stealer.

What makes this attack particularly dangerous is its ability to bypass security defenses. Instead of being automatically triggered by malware, it relies on tricking users into manually executing the harmful PowerShell commands. This user interaction-based tactic helps it avoid detection by many traditional security tools.

The campaign appears to be orchestrated by two trafficking groups, Slavic Nation Empire and Scamquerteo, which are subgroups of larger cybercrime organizations. These groups are likely using shared infrastructure and tools, suggesting the involvement of an unknown third party that may be managing the setup for them.

The rise in these types of attacks coincides with a broader trend of open-source infostealers becoming more prevalent. Several new malware families, including ThunderKitty, Divulge, DedSec, Duck, and others, have surfaced recently, further complicating the cyber threat landscape.

These tools, often freely available, are making it easier for more actors to launch sophisticated attacks, posing significant risks to businesses and individuals alike.

To safeguard against these attacks, users should be cautious when encountering unexpected error messages on websites, especially those asking them to run scripts or commands.

It’s crucial to verify the legitimacy of the site before engaging with any prompts. Additionally,enabling real-time browser protection, and avoiding manual execution of unfamiliar commands can help reduce the risk of falling victim to such tactics.