A troubling development has emerged as a fake Microsoft support website is deceiving users into downloading malware disguised as a Windows update. This malicious campaign primarily targets French-speaking individuals, who are particularly vulnerable due to a recent surge in data breaches that have compromised millions of personal records.
The malware involved is designed to steal sensitive information, including passwords, payment details, and account access. It installs an Electron application that runs a Python interpreter to execute its harmful payload. Notably, the malware employs two persistence mechanisms to ensure it survives system reboots: it creates a registry entry and places a shortcut in the Startup folder.
According to reports, France has been a hotbed for data breaches, with approximately 19 million subscriber contracts affected by a breach in the country. Furthermore, the breach of France Travail has compromised around 43 million records, contributing to a staggering total of 90 million records aggregated from various breaches. This context makes French-speaking users prime targets for credential theft, as their personal information is readily available on the dark web.
VirusTotal, a popular malware detection service, showed zero detections across 69 engines for the main executable and 62 for the VBS launcher associated with this malware. This alarming statistic highlights a significant risk: a zero-detection result does not guarantee that a file is safe. As cybersecurity expert Chongwei Chen noted, “Windows updates are cumulative but not infinitely so,” emphasizing the importance of vigilance when it comes to software updates.
Users should be cautious, especially when encountering domains that appear legitimate but are not connected to Microsoft, such as microsoft-update[.]support. If you suspect that you may have installed this malicious update, it is crucial to take immediate action to secure your accounts and devices.
Microsoft has advised users to only download standalone update packages through the Microsoft Update Catalog, which is the only legitimate source for manual downloads. This guidance is essential in navigating the current landscape of cyber threats, particularly as the malware reaches out to external sites for IP reconnaissance and command-and-control communication.
As the situation develops, officials and cybersecurity experts are urging users to remain vigilant and report any suspicious activity. The most important takeaway is that users must be proactive in protecting their personal information, especially in light of the recent data breaches that have made credential theft a pressing concern.