Beware of Fake Windows Update Sites
If you come across a website urging you to manually install a “Windows update” via a large blue download button, it’s advisable to close that tab immediately. Recent alerts from Malwarebytes have unveiled a counterfeit Microsoft support website, known as microsoft-update.support, which masquerades as a source for a cumulative update for Windows 24H2 but is designed to deliver malicious password-stealing software.
The deceptive webpage is meticulously designed to mimic an official Microsoft site, complete with proper Knowledge Base (KB) references. Unsuspecting users may find themselves downloading an 83MB MSI file named Windowsupdate1.0.0.msi, which appears legitimate even within file properties.
The Mechanics of the Malware
Malwarebytes
This nefarious site is currently presented in French, indicating it may initially be targeting French-speaking individuals. However, Malwarebytes cautions that such scams can expand rapidly. The malicious installer is constructed using the legitimate WiX Toolset, and its metadata is carefully forged to give an illusion of authenticity, which poses risks even to basic security checks.
Upon execution, the MSI file deposits an Electron-based application into the user’s AppData folder, initiating other components, including a disguised Python runtime. This malware subsequently retrieves various tools and packages typically associated with data theft; it employs advanced techniques such as encryption and process inspection to gain deeper access to the Windows operating system. Notably, the malicious code targets Discord specifically, altering its files to capture login tokens, payment information, and two-factor authentication updates.
Malwarebytes
Malwarebytes has reported that the malware also fingerprints victims by monitoring their IP addresses and geolocations. It is equipped with a command-and-control infrastructure hosted on platforms such as Render and Cloudflare Workers, allowing it to upload stolen data through services like Gofile.
Understanding the Risks
One disturbing discovery from Malwarebytes is that, as of their analysis, the main executable and launcher displayed zero detections among numerous antivirus engines on VirusTotal. This indicates a significant challenge in identifying the malware, which cleverly conceals its operations within obfuscated JavaScript, authentic Electron components, and runtime-delivered Python tools, rather than presenting a clearly malicious binary. Therefore, it is crucial to remain vigilant and recognize that this fraudulent Windows support site is not a means to help you secure your PC; rather, it aims to exploit it.
For further details on this critical issue, visit the full report Here.
Image Credit: www.digitaltrends.com
