That Google Meet invite could be a fake, hiding some dangerous malware

Be careful when receiving video call invitations

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are targeting victims with fake brokenGoogleMeet calls in an attempt to infect them withmalwareand thus grab their sensitive information, experts have warned.

A report from cybersecurity researchers Sekoia claim the campaign is a new variant of the previously-observed ClickFix attack.

ClickFix victims are shown a fake error page (for example, abrowserthat is outdated and thus unable to open a certain website) and then offered a fix (a ‘patch’, or a ‘version upgrade’). If the victims don’t realize the ruse and download the ‘fix’, they end up infecting theirendpointswith different malware.

StealC and Rhadamanthys

In this instance, Sekoia’s researchers found several websites pretending to be Google Meetvideo conferencinglanding pages.

People that open these websites are shown an error regarding their microphone or camera. The offered ‘fix’ is a PowerShell code, copied to the clipboard, which runs in the Windows Command Prompt.

This code ultimately deploys either the StealC infostealer, or Rhadamanthys. FormacOS, which is also targeted, the attackers are dropping the AMOS Stealer as a .DMG file called “Launcher_v194”.

The threat actors in this campaign are called the Slavic Nation Empire (SNE) and Scamquerteo, apparently sub-groups of other threat actors named Marko Polo and CryptoLove, respectively.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Besides Google Meet, Sekoia has found Zoom,PDF readers, fake video games (Lunacy, Calipso, Battleforge, Ragon), web3 browsers and projects (NGT Studio), and messenger apps (Nortex) being abused for the same purpose.

The attack most likely starts with a phishing email, and targets mostly transport and logistics firms.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action cam