Tech Scammers Using Executables to Spread Scams
Tech scams are a type of online fraud where scammers trick users into believing that there is a problem with their computer or device and then charge them for unnecessary technical support or services. Tech scammers may also use executable files to perpetrate their scams. For example, they may send an email or message with a file attachment designed to look like a legitimate document while, in reality, it contains malicious software. This malicious application mainly displays fake pop-ups or messages that urge users to pay for technical support or services.
Cyble Research and Intelligence Labs (CRIL) discovered a fake adult site that automatically downloads a malicious executable whenever users visit it. This executable is made to appear as a video file as it utilizes the VLC media player icon. If the victim executes it, the malicious file will hide the mouse cursor from the screen and display a fake pop with dimensions similar to the background.
This fake pop-up mimics the “Blue Screen of Death” (BSOD), a well-known error screen that appears on Windows-based computers when a system error occurs. Tech scammers use fake BSOD screens to trick users into thinking their computer is infected with a virus or malware and then offer to fix the problem for a fee.
When the fake BSOD screen appears, it includes a message urging the user to call a phone number for technical support, which connects them with the scammers. Once the user is on the phone with the scammers, they may use scare tactics, potentially overstating the impact of the “issue” to convince the user to pay for unnecessary technical support or services.
Analysis
The CRIL has discovered a phishing website, located at hxxps[:]//mydoc.hsc-lb[.]net/, which was found to be distributing a tech spam executable. We determined that this website is a subdomain of hsc-lb[.]net and was hosting explicit content. Further investigation revealed that the domain hsc-lb[.]net is impersonating the healthcare provider “Hopital Du Sacre Coeur” in Lebanon.
Whenever a user visits the site hxxps[:]//mydoc.hsc-lb[.]net/, it automatically starts downloading a malicious executable by making a redirect to hxxps[:]//mydoc.hsc-lb[.]net/milf-pornvideo-pornhubhdviideos[.]exe in the background. The figure below shows the malicious site.
Threat Actor (TA) uses the automatic download feature, which users can manage through their browser settings. By default, most web browsers automatically download files to the default downloads directory on the user’s computer. Nevertheless, users can modify these settings and require a prompt to select the download location or even block downloads entirely. Browsers also provide settings to control the execution of files downloaded from websites.
The executable file downloaded from this site is a 32-bit .NET binary and targets Windows users. The TA has altered the time stamp of this file. TAs use this technique to hamper the incident response process. The figure below shows the file details.
This malicious executable includes a logo or icon closely resembling the official VLC logo. This makes the executable look like a media file and tricks the user into executing it. The figure below shows the icon used by the executable file.
Upon execution, the binary creates a Windows Form named “Form1”. The background image of this form is fetched from the resource directory using the method Resources.ResourceManager.GetObject. The figure below shows the form initialization in the binary.
Figure 5 shows the image, which will be set as a Form background. Although it appears to be an official message from Microsoft in the form of a Blue Screen of Death (BSOD), it is actually a fake pop-up used for a tech scam. Generally, such messages contain an error message along with diagnostic information about the error.
After this, the TAs uses the Screen.PrimaryScreen.Bounds property to fill the entire screen and hides the cursor using the cursor.hide() method, enabling the fake BSOD image to appear more realistic.
Now, the binary initializes a SoundPlayer object named “soundPlayer” with an audio file called “backgroundmusic”, located in the resources directory of the executable. The Play() method of the SoundPlayer class is called to play the sound file once, and the PlayLooping() method is called immediately afterward to play the sound file continuously in a loop until it is stopped or paused.
The audio message claims that the user’s computer has been locked due to illegal activity or virus infection and urges the user to call a support number immediately to resolve the issue. The support number appears fake, leading users to scammers who will try to convince the user to pay for unnecessary services or provide remote access to the user’s computer.
Conclusion
In order to deceive users, scammers employ diverse strategies, including generating fraudulent pop-ups or notifications that prompt users to dial a phony technical support number. The file under scrutiny in this blog post spreads through a fake adult site, masquerades as a media file containing a counterfeit Blue Screen of Death (BSOD) picture, and encourages users to seek tech support.
Additionally, the scammers employed intimidating techniques by playing an audio message that pressured users into contacting a counterfeit support number to rectify the problem.
Our Recommendations
- Avoid clicking on suspicious links or downloading files from unknown sources.
- Keep the browser settings to prompt the user for confirmation before downloading files or blocking downloads altogether.
- Users should be cautious of unsolicited messages or calls that claim to offer technical support or services and always verify the message’s legitimacy before taking any action.
- Users should ensure that the system is protected with up-to-date antivirus software and regularly update their operating system and software to address any security vulnerabilities.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1189 | Drive-by Compromise |
| Execution | T1204 | User Execution |
| Defense Evasion | T1070.006 | Timestomp |
| Impact | T1491.001 | Defacement |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| a143c55d702aa64851da9574dcca20e6 73ccfec0118a4ed2a6a10c11e6451a0b79cbf4f5 59146f4c67133979e2ea852d49b7b102481e73434040bf4c6079eafa7b224d40 | MD5 SHA-1 SHA-2 | Malicious Executable |
| https[:]//mydoc[.]hsc-lb[.]net/milf-pornvideo-pornhubhdviideos[.]exe | URL | Malicious URL |
| https[:]//mydoc[.]hsc-lb[.]net | URL | Malicious Site |
Comments are closed.