New Windows Malware Impersonates Everyday Apps To Infect Your Computer

Malware has become a prevalent part of the online ecosystem. It's become so bad, in fact, that the FBI has even warned Americans to replace certain wi-fi routers in the past, to help avoid known vulnerabilities. As if that wasn't bad enough, we've even seen some bad actors turning to the growing AI expansion to help fuel their efforts to create new ways to expose users to malware. However, one of the oldest tricks in the book is the old 'bait and switch.' This is where bad actors take malware and disguise it as something else, thus tricking users into downloading the malware and infecting their own systems. Unfortunately, it looks like a group of threat actors has turned to this method once more, as Microsoft has issued warnings about a new malware threat that impersonates everyday applications.

According to Microsoft's security blog, the bad actors behind the attack are using highly convincing phishing emails to trick users into interacting with counterfeit PDF attachments. After opening the PDF, the users are then directed to click a button to "open with Adobe." However, instead of taking the user to the official Adobe website, it takes them to a spoofed download page instead of the document they are trying to view. From here, the system automatically downloads the infected file. Microsoft says that there are also versions of the malware system that prompt users about "out of date" programs, sending them to download infected files masquerading as Teams, Zoom, or Google Meet.

What makes this malware campaign especially troubling, though, is that it goes far beyond simply masquerading as the programs that it pretends to be. Instead, Microsoft says that each of the fake software is able to successfully act like the legitimate app by using an Extended Validation certificate that has been issued to TrustConnect Software PTY LTD.

This means that when installing the programs, they'll appear as "signed," which is usually a sign that something can be trusted. Once installed, Microsoft notes that the fake applications then deploy their malware, infecting the target computer with tools like Tactical RMM, ScreenConnect, and other remote monitoring or management applications. What makes this malware especially tricky, too, is the fact that the system creates a secondary copy of itself under the Program Files directory, thus reinforcing that it is an "official" application. From there, the actual malware digs into the system as a Windows service, which allows it to execute itself during system startup.

Of course, this isn't the first time that we've seen malware pretend to be legitimate apps. When these campaigns surface, though, it is a good reminder of just how far some of these threat actors are willing to go to score a hit on someone's machine.

While the brunt of this attack appears to be mostly focused toward workers, based on Microsoft's report, all users should be aware of the issue, and if you receive something in an email that prompts you to download anything, do not open or install any of the applications that it installs. Instead, make sure to visit the official websites yourself, download the files you need, and then if the file still prompts you to download or upgrade, you probably shouldn't trust it.

You can also check in directly with any coworkers or friends through other services such as text messages, direct messages, etc, if you receive any emails with strange links. While it might sound silly to approach every attachment with this kind of caution, it's one of the best ways to help ensure you never become infected with malware designed to steal your private information. You may also want to look into installing a trusted antivirus for your Windows PC, as those can help catch things that might get through your network.