It also created a hidden c:\systemfile folder and copied the default profiles for Chrome, Edge, and Brave into the folder. These scheduled tasks are used to configure various variables, create other scripts to be run by the tasks, and kill processes, such as chrome.exe, msedge.exe, brave.exe, powershell.exe, python.exe, pythonw.exe, cdriver.exe, and mdriver.exe. Microsoft\Windows\Servicing\ServiceCleanup Microsoft\Windows\Servicing\ComponentCleanup Microsoft\Windows\Application Experience\Maintenance What we know is that the malicious scripts only targeted users in the US and created numerous Scheduled Tasks with the following names: Microsoft\Windows\AppID\VerifiedCert Sending special headers to Cloudflare workers To run Windows Toolbox, the developer told users to execute the following command, which loaded a PowerShell script from a Cloudflare worker hosted at. While the Windows Toolbox script performed all of the features described on GitHub, it also contained obfuscated PowerShell code that would retrieve various scripts from Cloudflare workers and use them to execute commands and download files on an infected device.
Over the past week, various users shared the discovery that the Windows Toolbox script was a front for a very clever malware attack, leading to a surprisingly low-quality malware infection. Abusing Cloudflare workers to install malware However, unbeknownst to everyone until this week, the Windows Toolbox was actually a Trojan that executed a series of obfuscated, malicious PowerShell scripts to install a trojan clicker and possibly other malware on devices. Once tech sites discovered the script, it was quickly promoted and installed by many.
0 kommentar(er)
