Even though I’ve been immersed in all things tech for some time now, I’m not arrogant enough to think I’ll never be caught out by a phishing email or downloading dodgy software. That’s especially true as online scams grow in sophistication—for instance, there’s a fake Windows support page that tricks users into downloading password-stealing malware.
The fake support page alleges a ‘cumulative update’ for ‘Windows Update version 24H2,’ complete with a KB article number that’s passable at a glance. Anyone who actually hits the big blue ‘Download the update’ button will get a convincingly spoofed Windows Installer package. Unfortunately, this download is actually malware that can hoover up “passwords, payment details, and account access”, according to cybersecurity company Malwarebytes.
Even downloading the dodgy software may not raise alarm bells at first. The suspicious package was built using WiX Toolset 4.0.0.5512, which Malwarebytes describes as “a legitimate open-source installer framework.” The 83 MB package is called ‘WindowsUpdate 1.0.0.msi,’ with an Author field that reads “Microsoft,” and a title of “Installation Database.” The comments field also alleges that the file offers “the logic and data required to install WindowsUpdate.”
So, that’s how it escapes user notice—but it may also squeak past whatever anti-virus you have installed too. “At the time of analysis, VirusTotal showed zero detections across 69 engines for the main executable and 62 for the VBS launcher. No YARA rules matched, and behavioural scoring classified the activity as low risk,” Malwarebytes reported. “This is not a failure of any single tool. It’s the intended result of the malware’s architecture.”
Cracking this bad boy open, it becomes clear the package is flying under the radar due to an Electron shell obfuscating malicious JavaScript inside. In other words, your PC’s automatic defences will ding the outer Electron layer—which is a free and open-source software framework used by plenty of legitimate apps—and won’t wade far enough in to uncover the suss script at its core. I would admire such sneaky construction, were it not for all of the credential sniffing.
(Image credit: Microsoft)
It’s striking the lengths the scammers have gone to ensure this malicious page passes muster, but there is a key giveaway should you find yourself on this fake Windows website. Specifically, you should keep your eyes peeled for the dodgy domain ‘microsoft-update[.]support’—Microsoft’s genuine support hub is found at ‘support.microsoft.com‘.
Microsoft company also offers its own guide on how to download and install Windows updates legitimately for anyone at all unclear. Bottom line, the guide points users towards ‘Windows Update’ under ‘Settings’ in your operating system’s Start menu, rather than an external webpage like the one in the scam. Malwarebytes has additionally updated its anti-virus offering to better detect the latest suss software, and now offers a full rundown of what to do next if you suspect you’ve downloaded it by mistake. After all, it can happen to anyone.
