Fake IT Support Sites Push Malicious Powershell Scripts as Windows Fixes
Summary:
Fake IT support sites are exploiting common Windows errors like the 0x80070643 error to distribute information-stealing malware through malicious PowerShell "fixes." These sites, identified by eSentire's Threat Response Unit, gain legitimacy by being promoted on compromised YouTube channels. The 0x80070643 error has been a significant issue for Windows users since the January 2024 Patch Tuesday update, which included a fix for a BitLocker encryption bypass flaw (CVE-2024-20666). Many users encountered the error when installing the update due to insufficient disk space in the Windows Recovery Environment (WinRE) partition, which needs 250 megabytes of free space. Microsoft's error message misled users into thinking it was a general installation failure, prompting them to seek online solutions.
Upon execution, the PowerShell scripts install the malware, which then extracts and uploads sensitive data to attacker-controlled servers. The malware can steal credentials, credit card information, cookies, browsing history, cryptocurrency wallets, text files, and Authy 2FA databases. This stolen data is compiled into logs and used for further attacks or sold on dark web marketplaces. Infected users face compromised accounts, potential financial fraud, and privacy breaches, while the stolen data fuels other cyber-attacks, including ransomware.
Security Officer Comments:
Threat actors have capitalized on this frustration by creating fake IT support sites offering PowerShell-based fixes. eSentire found these sites, promoted through YouTube videos. Fake videos promoting fixes for the 0x80070643 error are uploaded to compromised YouTube channels, directing users to these malicious websites. Users are then instructed to run PowerShell scripts or import Windows Registry files from these sites. These scripts are designed to download and install the Vidar information-stealing malware by connecting to remote servers to fetch additional malicious scripts.
Suggested Corrections:
To avoid such threats, users should only download software and fixes from reputable sources, avoiding random websites and videos with little or no reputation. For the 0x80070643 error, it is advisable to use Microsoft's Show or Hide Tool to hide the problematic update instead of seeking unverified fixes online.
IOCs:
https://github.com/esThreatIntelligence/iocs/blob/main/FakeIT_KB_Vidar/FakeIT_KB_Vidar-6-7-2024.txt
Esentire recommends implementing the following controls to help secure your organization:
- Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
- Implement a Phishing and Security Awareness Training (PSAT) Program that educates and informs your employees on emerging threats in the threat landscape.
- Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.
Link(s):
https://www.bleepingcomputer.com/ne...alicious-powershell-scripts-as-windows-fixes/
https://www.esentire.com/blog/fake-it-support-website-leading-to-vidar-infection