A troubling new development has emerged as a fake Microsoft support website is tricking users into downloading malware disguised as a Windows update. This malicious campaign is particularly targeting French-speaking individuals, capitalizing on the high volume of personal information circulating from previous data breaches.
The malware, once installed, is designed to steal sensitive information such as passwords, payment details, and account access. It installs an Electron application that runs a Python interpreter to execute its harmful payload, raising significant concerns about the security of personal data.
Recent statistics reveal the gravity of the situation: approximately 19 million subscriber contracts in France have been affected by a data breach, with a staggering 90 million records aggregated from various breaches. This makes France an attractive target for credential theft, especially given the historic cascade of data breaches the country has faced over the past two years.
In a concerning twist, the malware employs two persistence mechanisms to survive reboots: a registry entry and a shortcut in the Startup folder. This means that even after a user attempts to remove the malware, it can re-establish itself, complicating the recovery process.
Moreover, the malware reaches out to external sites for IP reconnaissance and command-and-control communication, further endangering users’ security. A recent analysis on VirusTotal showed zero detections across 69 engines for the main executable and 62 for the VBS launcher, highlighting the sophisticated nature of this threat. As Chongwei Chen noted, “Windows updates are cumulative but not infinitely so,” emphasizing the importance of vigilance when it comes to software updates.
For those who may have unknowingly installed this malicious update, experts advise immediate action. It’s crucial to verify the legitimacy of any updates and to only download standalone update packages through the Microsoft Update Catalog, which is the only legitimate source for manual downloads. A domain like microsoft-update[.]support may appear plausible, but it is not connected to Microsoft.
As the community grapples with these alarming developments, the most important takeaway is that a zero-detection result on VirusTotal does not guarantee a file’s safety. Users are encouraged to remain cautious and informed about potential threats.
