Home / malwarePDF  

SupportScam:MSIL/Secupoint.A


First posted on 03 November 2017.
Source: Microsoft

Aliases :

There are no other names known for SupportScam:MSIL/Secupoint.A.

Explanation :

Installation

This threat may arrive as an installer downloaded from the web. When run, the it installs the following files:

  • %ALLUSERSPROFILE%\Desktop\MS Defender.lnk
  • %ALLUSERSPROFILE%\Start Menu\Programs\MS Defender
  • %ALLUSERSPROFILE%\Start Menu\Programs\MS Defender\MS Defender on the Web.lnk
  • %ALLUSERSPROFILE%\Start Menu\Programs\MS Defender\MS Defender.lnk
  • %ALLUSERSPROFILE%\Start Menu\Programs\MS Defender\Uninstall MS Defender.lnk
  • %ProgramFiles%\MS Defender\MS Defender\date_picker.xml
  • %ProgramFiles%\MS Defender\MS Defender\ExtendedWindowsControls.dll
  • %ProgramFiles%\MS Defender\MS Defender\icon.ico
  • %ProgramFiles%\MS Defender\MS Defender\Microsoft.Win32.TaskScheduler.dll
  • %ProgramFiles%\MS Defender\MS Defender\MS Defender.exe - malicious component
  • %ProgramFiles%\MS Defender\MS Defender\MS Defender.pdb
  • %ProgramFiles%\MS Defender\MS Defender\MS Defender.vshost.exe
  • %ProgramFiles%\MS Defender\MS Defender\MS Defender.vshost.exe.manifest
  • %ProgramFiles%\MS Defender\MS Defender\MS-Defender.exe - malicious component
  • %ProgramFiles%\MS Defender\MS Defender\MS-Defender.pdb
  • %ProgramFiles%\MS Defender\MS Defender\MS-Defender.vshost.exe
  • %ProgramFiles%\MS Defender\MS Defender\MS-Defender.vshost.exe.manifest
  • %ProgramFiles%\MS Defender\MS Defender\status_text.txt
  • %ProgramFiles%\MS Defender\MS Defender\WpfAnimatedGif.dll


The files MS Defender.exe and MS-Defender.exe are malicious components.

The installer creates a scheduled task that executes MS Defender.exe every time a user signs in.

Payload

Displays fake scanner

When run, MS-Defender.exe asks you to sign in:

It accepts a default password. It's possible that the ID and password are specified on the website where the installer is downloaded.

If the right password is entered, MS-Defender.exe displays the following fake scanner:

After the fake scan, it displays the following fake report:

Locks screen

MS-Defender.exe executes the other malicious component MS Defender.exe, which locks your screen with the following message:



Steals info

This malware can collect information like IP address, MAC address, machine name, country, city, zip Code, and ISP. It uses the legitimate sites hxxp://www[.]iptrackeronline[.]com/ and hxxp://api[.]ipinfodb[.]com/v3/ip-city/) to gather these info.





Analysis by: Ric Robielos

Last update 03 November 2017

 

TOP

Malware :

Family: