Fake Windows Update screens are being used to convince users to install malware now, proving that nothing is sacred in the cybersecurity world
www.pcgamer.com
Not my precious updates, I cry in vain.

If you’re anything like me, you keep a sharp eye on your Windows Defender updates to make sure your PC is protected against the latest threats. However, while Defender is remarkably good at catching dodgy files these days, it can’t do a whole lot about users bypassing its security methods themselves, if convinced to do so.

Which is precisely what a new variant of known malware ClickFix has been caught doing: Tricking users into thinking that an innocent Windows Update requires them to paste a malicious command into the Run window (via Bleeping Computer). Researchers at security services provider Huntress have detailed the novel new method in a blog post, and it’s quite the feat of social engineering.

Essentially, a browser window containing a full-screen version of what looks to be a Windows Update screen launches, with the familiar blue background (although with a suspicious-looking font). After the update is “complete”, the last step prompts the user to hold the Windows key and R, opening a Run instance.

Unfortunate victims are then told to press Ctrl+V, which pastes a malicious code into the Run prompt automatically copied to the machine’s clipboard. Pressing Enter activates a PowerShell command, which in turn decrypts and loads a sequence of reflective .NET assemblies used for process injection.

After a convoluted sequence of evasion tactics, a .png file containing shellcode is reconstructed, eventually installing an infostealer variant. It’s a remarkably involved process, all begun by the user kicking off the main sequence of events themselves.

A computer screen with program code warning of a detected malware script program. 3d illustration

(Image credit: solarseven, via Getty Images)

Huntress goes into more detail as to exactly how a dodgy .png file can be used to inject malware into your system, but if I were to explain it all here, I’d need eight more paragraphs and quite possibly a short nap. It’s a very novel approach, put it that way, but it’s the social engineering aspect of this particular “lure” that has me intrigued.

After all, I’m forever telling my friends and relatives to keep Windows updated as a best security practice, but I can’t do a whole lot to protect the less vigilant of them from falling for a relatively convincing fake.

As a final PSA, though, I’d say that Windows Update should never ask you to interact with any system processes yourself, and you also shouldn’t accept free candy from strangers. That oughta do it, don’t you think?

From PCGamer latest via this RSS feed