Hackers are targeting victims with fake broken Google Meet calls in an attempt to infect them with malware and obtain their sensitive information, experts have warned.
A report from cybersecurity researchers Sekoia claims that the campaign is a new variant of the previously observed ClickFix attack.
ClickFix victims are shown a fake error page (for example, a browser is out of date and therefore cannot open a certain website) and then offered a solution (a ‘patch’, aka a ‘version upgrade’). If victims don’t realize the ploy and download the ‘fix’, they end up infecting their endpoints with various types of malware.
StealC and Rhadamanthys
In this case, Sekoia researchers found several websites posing as Google Meet videoconferencing landing pages.
People who open these websites will see an error message related to their microphone or camera. The ‘solution’ provided is a PowerShell code, copied to the clipboard, which is executed in the Windows command prompt.
This code ultimately implements the StealC infostealer or Rhadamanthys. For macOS, which is also targeted, the attackers drop the AMOS Stealer as a .DMG file called “Launcher_v194”.
The threat actors in this campaign are called the Slavic Nation Empire (SNE) and Scamquerteo, apparently subgroups of other threat actors called Marko Polo and CryptoLove, respectively.
In addition to Google Meet, Sekoia has discovered that Zoom, PDF readers, fake video games (Lunacy, Calipso, Battleforge, Ragon), Web3 browsers and projects (NGT Studio), and messenger apps (Nortex) are being abused for the same purpose.
The attack most likely starts with a phishing email and is mainly aimed at transport and logistics companies.
Via BleepingComputer