Fake Microsoft DirectX 12 Distributes Malware

 

Cybercriminals have built a bogus Microsoft DirectX 12 download page in order to spread ransomware that steals cryptocurrency wallets and passwords. Despite the fact that the website has a contact form, a privacy policy, a disclaimer, and a DMCA infringement page, the website and the services it distributes are not valid.

Users will be routed to an external website when they press the Download buttons, which will prompt them to download a file. You'll be sent a file called '6080b4 DirectX-12-Down.zip' [VirusTotal] or '6083040a Disclaimer.zip' [VirusTotal] depending on whether you want the 32-bit or 64-bit edition. All of these files contribute to malware that attempts to steal files, passwords, and cryptocurrency wallets from their victims.

When the bogus DirectX 12 installers are launched, they silently download and execute malware from a remote site, as discovered by security researcher Oliver Hough. This malware is a data-stealing Trojan that tries to snatch a victim's cookies, directories, device records, installed programs, and even a snapshot of the current desktop. The malware authors are attempting to steal a number of cryptocurrency wallets for Windows applications, including Ledge er Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero. 

All of the information is gathered in a %Temp% folder, which the malware will zip up and give back to the attacker. The data will then be analysed and used for other nefarious purposes by the attack. To spread malware, threat actors are rapidly building fake websites, some of which are much more persuasive than others.

Ficker ransomware is already spreading across websites impersonating Microsoft Store and Spotify, according to ESET. Details and user accounts stored in web browsers, email applications, and FTP clients are stolen by the malware. It can even rob from your bitcoin wallet, exfiltrate documents, and take screenshots of your running applications. 

As part of a larger ransomware campaign targeting cybersecurity experts, the Lazarus Group has set up a bogus protection firm and social media accounts. For a fictitious Turkish business called SecuriElite, the attackers built a website, as well as a Twitter and LinkedIn account. When the Google security team was focusing on tracking down the state-backed hackers, the firm was allegedly providing offensive security services.