Windows processes Archives

Winsage

February 19, 2025

Hidden Microsoft Windows Threat Attacks When Your PC Restarts

A significant alert has been issued for Microsoft Windows users regarding the Snake Keylogger, an advanced keylogger capable of extracting sensitive information from web browsers like Chrome, Edge, and Firefox. It logs keystrokes, captures credentials, and monitors clipboard activity. The malware has already infiltrated millions of PCs and activates upon system restart, disguising itself among benign Windows processes. Fortinet reports that the Snake Keylogger has been circulating since 2020, infiltrating systems through malicious Office documents or PDFs attached to emails. If opened with macros enabled or using vulnerable software, the malware executes. It employs AutoIt scripting to obfuscate its operations and sets its attributes to hidden to complicate detection. The keylogger places a file in the Windows Startup folder to ensure it launches automatically with each restart, maintaining access to the compromised system. Once installed, it checks its environment to capture specific security credentials through keystrokes, clipboard data, or browser autofill information, transmitting this data to its handlers. Fortinet has observed the Snake Keylogger in various countries, including China, Turkey, Indonesia, Taiwan, and Spain. Users are advised to keep security software updated and exercise caution with email attachments from untrusted sources.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Winsage

February 14, 2025

Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is being actively exploited by the Chinese APT group Mustang Panda. This low-severity vulnerability affects how Windows processes files from compressed RAR archives, making extracted files invisible in the Windows Explorer GUI while still accessible via command-line tools. Mustang Panda uses this vulnerability to hide malicious files within archives, facilitating stealthy attacks through phishing campaigns. Despite its exploitation, Microsoft has rated the vulnerability as low-severity, which may indicate limited potential damage. Cybersecurity experts warn that such vulnerabilities can have significant implications when used in larger attack strategies.

Winsage

November 14, 2024

Windows 11 KB5046633 thinks ‘Your version of Windows has reached the end of service’

Microsoft released its latest Patch Tuesday update, which includes updates KB5046613, KB5046615, KB5046612, and KB5046665 for Windows 10 users, and KB5046617 and KB5046633 for Windows 11 users. The Windows 11 update fixes a bug in the Task Manager that incorrectly displayed background and Windows processes as zero, while the Windows 10 updates resolve an issue preventing non-administrative users from launching applications like Teams and Quick Assist. Windows 11 users may encounter a new bug that incorrectly states their version has reached the end of service, despite having the latest cumulative update KB5046633. Microsoft has also deployed update KB5001716 to notify users about the impending end of support for their operating system versions. Additionally, Microsoft is discouraging downloads of Windows 10, even from official sources, to promote transitions to newer operating systems.

Winsage

November 13, 2024

Microsoft sneaks Task Manager fixes into Patch Tuesday

Microsoft released an update (KB5046617) for Windows 11 24H2 and Windows Server 2025 that addresses security concerns and includes quality improvements. The update fixes a Task Manager glitch that incorrectly displayed zero counts for active applications when using the "Group by Type" option. It also resolves access issues related to Dev Drive for Windows Subsystem for Linux and installation delays of up to 40 minutes on certain hardware configurations. Additionally, it addresses failures during installations and extended restart times on Windows Server 2025 systems with 256 or more logical processors. Microsoft has been working on known issues, including a problem with fingerprint sensors and an unexpected upgrade issue affecting Windows Server 2019 and 2022 systems.

Winsage

November 5, 2024

Black screens persist for Windows 10 AVD users

Microsoft has acknowledged ongoing issues affecting Azure Virtual Desktop (AVD) users after the installation of July's non-security preview update (KB5040525), leading to a black screen that can last 10 to 30 minutes. This issue is linked to a deadlock between the Azure Active Directory broker and the AppX deployment service, as well as the Background tasks infrastructure service. Users with FSLogix user profile containers in multi-session environments are more likely to face these problems. Additionally, Windows 11 24H2 users are experiencing issues with Task Manager displaying zero counts for Apps, Background Processes, and Windows Processes after the October 2024 non-security preview update, particularly when the 'Group by Type' view is enabled. Dave Plummer, the original author of Task Manager, described this as a "fairly severe bug."

Winsage

November 1, 2024

Windows 11 Task Manager bug shows wrong number of running processes

Microsoft has acknowledged a reporting anomaly in the Task Manager of Windows 11, where it shows zero running applications and background processes after installing the October 2024 non-security preview update (KB5044384) for Windows 11 24H2 systems. This issue primarily affects devices with the "Group by Type" view enabled, although the Task Manager remains functional and users can still access the list of active applications and processes. Microsoft is investigating the matter and plans to include a fix in an upcoming Windows update. Additionally, a separate bug in Windows 10 was preventing certain applications from launching from non-admin accounts, which has been addressed using the Known Issue Rollback feature.

Winsage

October 31, 2024

Nasty Windows 11 24H2 bug leaves you confused about the number of apps running on your PC

Users have reported mixed experiences with Windows 11, version 24H2, particularly regarding the KB5044384 optional update released in October 2024. This update has introduced a bug that causes the Task Manager to inaccurately display the number of active applications, showing "0" for Apps, Background Processes, and Windows Processes when the "Group by Type" view is enabled. Microsoft has acknowledged this issue and plans to provide a fix. Users can uninstall the KB5044384 update to restore accurate reporting by navigating to Settings > Windows Update > Update history > Uninstall updates.

Winsage

October 30, 2024

Recurring Windows Flaw Could Expose User Credentials

All versions of Windows clients, from Windows 7 to Windows 11, are exposed to a critical 0-day vulnerability that allows attackers to capture NTLM authentication hashes. This vulnerability was reported by ACROS Security after their investigation into CVE-2024-38030, which involved Windows Themes spoofing. The flaw facilitates an authentication coercion attack, where a vulnerable device sends NTLM hashes to an attacker’s system. The issue arises from how Windows processes theme files, particularly due to inadequate validation of file paths. This is the third vulnerability linked to the same file path problem. Microsoft is aware of the report and will take necessary actions, but no CVE has been issued yet. Attackers do not need special privileges but must convince users to interact with a malicious theme file. Disabling NTLM is advised, although it may cause functional issues in dependent network components.

Tech Optimizer

October 26, 2024

Avira Internet Security

Offering antivirus or security suite protection for free can enhance brand awareness and goodwill among consumers, but financial sustainability is at risk without a significant number of users upgrading to paid versions. Avira Internet Security's annual fee for a single installation is .99, with a three-license subscription costing .99, and a five-license option priced at .99, making it the highest rate for an entry-level security suite. The interface of Avira Internet Security is similar to Avira Free Security, and both versions provide basic features, including real-time protection and a file shredder. Avira achieved an aggregate score of 9.7 in antivirus testing but detected 97% of malware samples. Its Browser Safety extension blocked 98% of harmful URLs, while Web protection achieved 97% effectiveness. Avira's ransomware protection likely functions well, but its efficacy could not be definitively proven. The Software Updater Pro feature allows users to manage application updates, but it requires manual intervention. Avira Password Manager offers unlimited password syncing across devices in its free version, while the Pro edition provides a security status report. The simple firewall included in Avira Internet Security offers basic network protection and is easy to configure. Overall, most valuable features are available in the free edition, and Bitdefender Internet Security is recommended as a superior alternative.