Fake Windows Support Spam Spreads an Info Stealer

Written by: Bernadette Caraig

How does this threat get into users' systems?

Users received spammed messages purporting to come from Microsoft, telling them Service Packs 1 and 2 had supposed errors that could damage their system software and even hardware. The messages lured users to click the Download button to update their systems.

How does this threat affect users?


Clicking the Download button leads to the download of Windows.exe (detected by Trend Micro as TROJ_DLOADER.CUT).

TROJ_DLOADER.CUT is saved onto affected systems as NiLksa.exe. It then connected to a remote URL to download other malicious files.

How does this threat make money for its perpetrators?

The other malicious files that TROJ_DLOADER.CUT may include FAKEAV variants that will translate to instant cash for cybercriminals or information stealers. The stolen data may then be sold underground or kept for use in further malicious activities.

What is the driving force behind this threat?

Using TROJ_DLOADER.CUT, cybercriminals aim to infect as many systems as possible.