A fake Microsoft support website is tricking users into downloading malware disguised as a Windows update. This malicious campaign primarily targets French-speaking individuals, exploiting a backdrop of significant data breaches in France that have left millions vulnerable to credential theft.
The malware, once installed, is designed to steal sensitive information such as passwords, payment details, and account access. It installs an Electron application that runs a Python interpreter to execute its harmful payload. Notably, the malware employs two persistence mechanisms: a registry entry and a shortcut in the Startup folder, ensuring it remains active even after system reboots.
Recent data breaches in France have compromised a staggering 90 million records, with 43 million records linked to France Travail alone. This has made the region an attractive target for cybercriminals, as 19 million subscriber contracts were affected by these breaches. The high volume of personal information circulating from these incidents has likely contributed to the malware’s focus on French-speaking users.
VirusTotal, a widely used malware detection service, showed zero detections across 69 engines for the main executable and 62 for the VBS launcher associated with this malware. This alarming statistic highlights the sophistication of the attack, as a zero-detection result does not necessarily indicate a file’s safety. “The most important takeaway is that a zero-detection VirusTotal result does not mean a file is safe,” a cybersecurity expert noted.
Microsoft has emphasized that the only legitimate source for manual downloads of Windows updates is through the Microsoft Update Catalog. Users are advised to be cautious, as domains like microsoft-update[.]support may appear plausible but are not affiliated with Microsoft. “If you think you may have installed this update, here’s what to do:” the advisory states, urging users to take immediate action if they suspect they have been compromised.
Chongwei Chen, a cybersecurity analyst, remarked, “Windows updates are cumulative but not infinitely so,” suggesting that users should remain vigilant about the updates they install. This incident underscores the importance of verifying the authenticity of software updates, especially in light of the ongoing threat landscape.
As the situation develops, cybersecurity experts continue to monitor the spread of this malware and its impact on users. France’s recent history of data breaches has created a fertile ground for such attacks, and officials are urging users to exercise caution when downloading updates or software from unfamiliar sources. Details remain unconfirmed regarding the full extent of the malware’s reach and the potential implications for affected users.
