A new malware campaign has emerged, revealing a sophisticated method of stealing sensitive information from unsuspecting Windows users, as reported by the security experts at Malwarebytes Labs. This attack’s effectiveness stems from both the design of the malware and the use of a cleverly crafted fraudulent clone of a Microsoft website.
Potential victims are lured to a typo-squatted web address that appears legitimate at first glance. Upon arrival, they encounter a webpage that claims to host the Windows 11 24H2 update, which closely resembles an official Microsoft site. Once users click on the “download the update” button, they receive a file named WindowsUpdate 1.0.0.msi. This file is built using what Malwarebytes describes as a “legitimate open-source installer framework.” The attackers employ a mix of Electron, JavaScript, and Python throughout the installation process, resulting in malware that is challenging to analyze and detect. Notably, “VirusTotal showed zero detections across 69 engines for the main executable,” and it was categorized as “low risk” by behavioral scoring systems.
The potency of this malware is not solely due to its obfuscated installation process; it also utilizes two distinct techniques to maintain persistence on a victim’s machine. The first technique modifies the Windows registry to add a value called SecurityHealth, mimicking the Windows Security Health feature found in Defender. The second technique involves placing a shortcut named Spotify.lnk in the startup folder, cleverly masquerading as the Spotify music application.
Currently, this campaign primarily targets French-speaking users, but it is expected that attackers from other regions will quickly adopt similar tactics. To mitigate the risk of falling victim to such attacks, Windows users are advised to apply updates exclusively through the Windows Update feature located within the operating system’s Settings menu.
