Microsoft Archives – Gridinsoft Blog

Top 3 Vulnerabilities of 2024: How to Block and Prevent

Stephanie Adlam — Sun, 15 Sep 2024 18:14:59 +0000

Any successful remote cyberattack starts with penetration of the target network. Regardless of the type of threat (spyware, ransomware, or infostealer), first it must be delivered before it can be deployed. Attackers use a variety of methods and tools to accomplish this. Some of them require some action on the part of the individual. Others, in turn, rely on vulnerabilities in the system and can be delivered and deployed without the victim’s involvement.

Top Vulnerabilities in 2024

From quite a few vulnerabilities that surfaced in 8 months of 2024, there are several that created significant fuss in the cybersecurity community. Key sign of the significance is, of course, the number of systems that may be impacted. Though, I won’t ignore other factors, like ease of exploitation and severity of possible consequences.

How Do Vulnerabilities Works?

There may also be a confusion on whether the flaw should be considered “top” or not depending on the frequency of its exploitation in cyberattacks. As some of the flaws keep circulating years after the initial discovery, you can sometimes see ratings that include those “past” vulnerabilities. For certain years, these overdue weaknesses were dominant, despite all the vulnerabilities discovered the same year. In this article, I will concentrate exclusively on ones discovered in 2024, with all the other mentioned characteristics in mind.

Critical RCE Threat in Windows TCP/IP Stack

CVE-2024-38063 is a critical vulnerability in Windows 10/11 that allows remote code execution (RCE) via IPv6 packets. The vulnerability is rated CVSS 9.8 and affects Windows 10, Windows 11 and Windows Server 2008-2022. Security researcher Marcus Hutchins has published a detailed analysis of the vulnerability. He also noted that this vulnerability affects one of the most exposed parts of the Windows kernel, the tcpip.sys driver, which is responsible for processing TCP/IP packets. In other words, attackers can exploit this vulnerability by sending specially crafted IPv6 packets to the target machine, allowing RCE without user interaction.

For potential risks, if successful, attackers could gain access at the SYSTEM level. This eventually allows them to execute arbitrary code on the vulnerable system and compromise sensitive data. The former, in turn, is a classic way to deploy malware in cyberattacks of different grades. Microsoft has released the update and strongly recommends applying it as soon as possible. For ones who cannot apply the patch, Redmond recommends disabling IPv6 until the update becomes available in order to reduce the attack surface.

Fortunately, there were no exploitation cases known to the moment. But the fact that the vulnerability exposes individual users and corporations alike makes it worth keeping in mind and fixing when the opportunity arises.

Critical Remote Code Execution in Microsoft Project

Vulnerability CVE-2024-38189 is a critical remote code execution vulnerability that affects some Microsoft products. It affects Windows 10 and Windows Server 2019 and later, as well as various versions of Office, including Office 365. CVSS score of 8.8 clearly characterizes how much damage the attackers can do with this flaw. Unlike the previous vulnerability, exploiting CVE-2024-38189 requires user interaction, namely the attacker must convince the victim to open a special Microsoft Project file. However, in the era of Dark LLM-generated phishing emails, this will not be a problem for attackers.

The results of successful exploitation of this vulnerability are clear – remote access with privilege escalation. It can lead to data leakage and full control over the infected system, with potentially severe consequences. Microsoft has released an update, so the only task for users is to apply the update and pay attention to monitoring suspicious network activity. And with the vulnerability being actively exploited in the wild, this update should not be hesitated with.

RCE Flaw in Microsoft Exchange

The third vulnerability is CVE-2024-38178, which has a CVSS score of 7.5 and allows remote code execution attacks under certain conditions. Although this is a specific vulnerability, it poses a significant threat. Similar to the previous point, exploitation of this vulnerability requires an authenticated client to be tricked into clicking a malicious link. Moreover, the exploitation also requires the victim to use Microsoft Edge in Internet Explorer mode. However, South Korea’s National Cyber Security Center has reported that this vulnerability was potentially used in a state-sponsored APT attack.

The vulnerability arises from a flaw in web content processing, leading to remote code execution. This could result in unauthorized server control, data leaks, and significant server disruption. The attacker does not require direct access to the server, relying instead on tricking users. To ensure security, users should update their systems and consider disabling Internet Explorer mode in Microsoft Edge.

What Causes the Vulnerabilities to Appear?

Typical reasons for vulnerabilities to appear in programs is a bad software engineering, technology aging, software misusage, or all of them together. It is hard to trace the reason for each and every specific vulnerability, especially considering the sheer number of them. But it is obvious that the more complex the program is – the easier it is for something inside to broke, or be broken on purpose.

Make sure your system is up to date

The worst part about it is that you can’t really do anything to prevent the vulnerabilities from appearing (if you are not the developer of course). For users, and even corporations, the only way to secure themselves against negative consequences of vulnerability exploitation is to install all the recent updates. And even this won’t always be a guarantee of having no zero-day flaws.

How to prevent vulnerabilities?

To summarize, let me make a few recommendations to help reduce the likelihood of successful exploitation of vulnerabilities:

Install the latest updates. Proper software developers releases flaw fixes as part of their regular updates, and I strongly recommend not to ignore them. If it happens for you to use an end-of-service program, it is better to update to the newest version or seek for an alternative that still gets software updates. “Unsupported” does not mean “free of vulnerabilities”!
Use software from reliable developers. While vulnerabilities can appear in any software, from any developer, the likelyhood of this happening is much higher when you stick to solutions of no-name dev team. Large and renowned developers, aside from doing thorough testing, will also provide all the needed support and updates for their software.
Keep an eye on security news. Companies sometimes struggle with notifying their users in a timely manner. By checking out newsletters, you ensure being up to date about the recent flaws or attacks.

The post Top 3 Vulnerabilities of 2024: How to Block and Prevent appeared first on Gridinsoft Blog.

Ads(exe).finacetrack(2).dll Virus Explained

Stephanie Adlam — Tue, 10 Sep 2024 10:16:01 +0000

Ads(exe).finacetrack(2).dll is a detection name that you can see on websites pretending to be malware infection alerts from Microsoft. Such pages appear all of a sudden, blocking user inputs and displaying a scary message, duplicated with a robotic voice message in the background. The site eventually asks the user to call a “tech support” to solve the alleged malware problem.

Such sites are a part of a huge network of “fake tech support” web pages. They pretend to be official Microsoft sites, notifying people about “severe malware infections” present in the system. In fact, all that is happening is one big fiction. In this article, I explain how these sites operate, why they open in your browser, and how to stop that for good.

What is Ads(exe).finacetrack(2).dll?

Ads(exe).finacetrack(2).dll is a detection name for an alleged malicious program running in the system. It appears on a fake Microsoft website, at least its authors tried to make it look like one. On the top layer banner that says the system is blocked for security reasons. That exact banner also contains the phone number of a “tech support” that the one should call to fix the issue.

Typical appearance of the Ads(exe).finacetrack(2).dll scam page

The website itself is designed in a rather specific way. Once the user who gets to this site clicks on any of its elements, it will scale to full screen, and start playing a scary voice message:

Click to see voice message transciption

Important security message.
Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.
To unlock the computer, please call support immediately.
Please do not attempt to shut down or restart your computer. Doing that may lead to data loss and identity theft. The computer lock is aimed to stop illegal activity. Please call our support immediately.

Following that switch, any of the keyboard combinations stop working (yes, even Alt+F4 and Ctrl+Alt+Del). The reason for this is the internal mechanisms of the site that intercept these combos before the system can handle them. As a result, the user feels trapped inside, with no way out other than following the guidance from the banner.

Still, there is a simple trick to get out of such a scam site. If you click Esc button several times, your browser will show you a pop-up window saying to hold down Esc to get out of full screen mode. That is different from a singular click on the button, and is probably yet another trick from the website. And that is it – hold it down, and then just close the window with the malicious website as you usually do.

How does this scam work?

Fake tech supports scam, including the Ads(exe).finacetrack(2).dll, operate in several steps. They need to get the user to a scam page, make them follow the instructions and force them to allow the support to do their “job”. The latter typically results in the installation of unwanted programs, often so-called scareware. Let’s get through each of these steps.

Beginning

Initially, scammers need to make the user open the scam website. As these pages typically sit on some obscure URL, it is not an option to hope for any organic traffic to come by. What they do instead is buying redirect link placement on shady websites with content that, in turn, attracts a lot of users. Sites with pirated films, dodgy online dating services, resources that offer cheats for popular games or shady hacking activities – such places never disdain an illegal source of profit. Any click on any content on these sites may redirect the user to a tech support scam page. Though, other scams appear on such sites as well, so it is a bad idea to keep using them.

Not sure whether you can trust a website? Consider scanning it with our free online URL scanning service! In less than a minute, it will give you the clear insight whether the site is trustworthy.

Culmination

After the user gets to the website, its inner mechanisms of the Ads(exe).finacetrack(2).dll site lock them on the page. Blocking any visible way out makes it particularly difficult for the user to avoid panicking, especially for someone with less computer skills. As a result, the only option that appears viable is to call the “support” by the specified number.

The Finale

In the final stage, on the call with the fake tech support manager, the victim gets the instructions to install a remote access tool, usually a TeamViewer. After that, the fraudster on the phone instructs to give them access to the system. Upon taking control of the victim’s machine, the scammer typically downloads a bunch of unwanted applications. Fake browser security apps, questionable antivirus software no one ever heard about, driver updating utilities – plenty of them.

Such applications will further spam the user, reminding them about the “dangerous viruses” and asking to buy a license. Sure enough, it is nowhere near as dangerous as malware, but still quite annoying and can easily lead to money loss. Also, since such apps are not tested properly, some of their actions can make the system malfunction.

How to Avoid the Ads(exe).finacetrack(2).dll scam?

As such scams typically propagate through sites with shady content – pirated movies and programs, dating or adult websites, the best way to prevent fake support scams from appearing will be to avoid such sites in future. Overall, their content is illegal and unhealthy; they typically have massive amounts of ads that can expose the visitor to even more dangers. If you are not sure whether the site is safe to use, check it with our free online URL scanner service.

Another part of the advice is to have a clear understanding of how Windows operates in general. Microsoft never blocks someone’s system, and never displays any notifications in the browser. Even if there is malware running in the computer, you will only get a message from Microsoft Defender, and that is it. Any attempt to look like a genuine Microsoft website, especially with such an obscure URL, is a giant red flag.

Finally, I will advise you to run a proper anti-malware application, like GridinSoft Anti-Malware. It will reliably protect you against malicious programs, and will also block any malicious sites, thanks to its Online Protection feature.

The post Ads(exe).finacetrack(2).dll Virus Explained appeared first on Gridinsoft Blog.

Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited

Stephanie Adlam — Thu, 11 Jul 2024 10:37:00 +0000

Microsoft has released its monthly security update, addressing 142 vulnerabilities across its product suite and software. One of these vulnerabilities is already being exploited in the wild. The vulnerabilities were fixed as part of Microsoft’s monthly bug fix release, widely known as “Patch Tuesday”.

Microsoft Fixed 3 Critical Flaws in Patch Tuesday

In the most recent Patch Tuesday, on July 10, 2024, Microsoft released fixes for 142 security issues in its product suite and software. Among them are 6 flaws of different severity – CVE-2024-38023, CVE-2024-38060, CVE-2024-38080 and RCE bugs CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077. The latter three have a CVSS score of 9.8 and allow an attacker to send specially crafted network packets that could trigger remote code execution in the Windows Remote Desktop Licensing service. Moreover, the last vulnerability does not require authentication, making it particularly dangerous.

Windows Updates menu

Notably, this is the largest list of fixes in recent months, nearly matching the April patch release where Microsoft fixed 150 vulnerabilities. The patches address vulnerabilities affecting multiple segments of Microsoft products. These include Windows, Office, Azure, .NET, Visual Studio, SQL Server, and Windows Hyper-V. In particular, one of the vulnerabilities is already being actively exploited in real-world attacks.

CVE-2024-38074, 38076, and 38077 Details

Despite all of the RCE flaws being rated at CVSS 9.8, some of them require authenticated access or specific privileges to exploit. For instance, a vulnerability in Microsoft SharePoint Server requires site owner rights to execute arbitrary code. One of the most significant vulnerabilities is an issue in Windows Hyper-V, which allows attackers to gain system privileges. To understand the severity of these vulnerabilities, let’s delve into the details.

CVE-2024-38023 vulnerability allows attackers with site owner rights in Microsoft SharePoint Server to execute arbitrary code on the server. An attacker with the necessary privileges can use specially crafted commands to execute code in the context of SharePoint Server. This vulnerability is particularly dangerous because it can lead to complete control over the server and leakage of confidential information.

Another remote code execution vulnerability (CVE-2024-38060) stems from the flaw in Microsoft Windows codec library. It allows an attacker to upload a specially crafted TIFF file, which, when processed by the system, will trigger arbitrary code execution. However, to exploit this vulnerability, the attacker must have access to the system, making it less dangerous than remote attacks, but still posing a significant risk.

The third vulnerability, CVE-2024-38080, is already actively exploited in real-world attacks. Attackers can use this vulnerability to escalate privileges in Windows Hyper-V, gaining access to system-level privileges. This can lead to complete control over virtualized environments, posing a serious threat to the security and integrity of the systems.

How to Stay Safe?

Vulnerabilities are an inherent part of software — past, present, and future. The only effective method to mitigate their risks is timely patching. To minimize these risks, Microsoft strongly recommends promptly installing the latest updates that address these vulnerabilities. And, well, despite the fact that Redmond tries its best to fix all the known flaws in time, there may be slip-throughs, even ones that exist for over a year.

Another layer of protection against exploitation is a zero-trust anti-malware solution. Not much are available for home users, but vulnerability exploitation typically targets systems from corporate networks to begin with. A sturdy solution that will do a thorough check to every action from any software, which is the essence of zero trust policy, is what has the best efficiency against such attacks.

The post Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited appeared first on Gridinsoft Blog.

Windows Defender Security Warning

Stephanie Adlam — Tue, 02 Jul 2024 09:14:36 +0000

Have you ever encountered a Windows Defender security warning pop-up while browsing? This type of malicious activity is designed to trick you into contacting scammers. Fortunately, you can quickly get rid of it. Here, we will explain how to remove this scam and protect yourself from other viruses.

What is the Windows Defender Security Warning?

This warning is the result of scareware or a phishing scam. Its purpose is to redirect you to a webpage that visually resembles the official Microsoft website. However, the URL does not match the official site. The page may display a message claiming that your computer is infected with malware and that you need to contact a support agent by phone to fix the problem.

Windows Defender Security Warning scam example. Red flags are highlighted in the picture.

Unfortunately, the notification looks like a legitimate Windows message, making it especially dangerous – many users may not even attempt to verify i= on Google. Scammers commonly make the pop-up as convincing as possible so that people don’t suspect anything is wrong. The provided phone number will likely connect you to a fraudulent call center. The agent may try to get you to install malware to infect your computer, steal your personal information, or demand money for fake services.

Why is the Windows Defender Security Warning False?

At first glance, you might mistake this for a legitimate warning from Windows Defender. However, if you’re familiar with Windows Defender, you’ll notice differences from a genuine notification. Therefore, please do not call the phone number provided in the window because it is not a real alert. Here’s why:

It’s not the Windows Defender interface. Windows Defender, also known as Windows Security, is a built-in Windows application with a different interface. It will never display a browser pop-up or webpage; it uses system notifications instead.
Strange text and typos. A banner or page showing a Microsoft Defender alert often contains strange text designs and grammatical and stylistic errors, which sharply contrast with the short and informative Defender notifications.
Microsoft never provides contact numbers for users. Users can contact Microsoft support through the “Get Help” application if they encounter problems.

This Windows Defender security alert is flawed in both format and content. It’s often a low-level phishing scam aiming to sell a rogue antivirus service, which can harm your computer. In some cases, you might not be able to close the alert or switch to other applications.

Causes of the Windows Defender Security Warning

There are several reasons why you might see a Windows Defender security warning. Here are the most common ones:

You clicked on an ad that redirected you to a fake site.
You visited a hacked website that redirected you to a fraudulent page.
You have a malicious program installed on your device, often a result of adware activity.

There are also many other ways you could be exposed to fraud, depending on various factors, such as the external devices you share with others. Simply closing the window may not solve the problem, especially if adware is causing it. The pop-up message may appear every time you open your browser.

How to Remove the Windows Defender Security Warning

Since the Windows Defender security warning appears in your browser, most actions to get rid of it are related to your browser. These steps can help resolve the issue of Windows Defender security warning pop-ups:

Force close and reopen your browser.
If the problem with redirecting to a fraudulent page persists, reset your browser (instructions below) or reinstall the browser completely.
If this continues, you may have adware or a PUP (potentially unwanted program) installed on your computer, and you need to remove it.

If you’re unsure which installed application is causing the pop-up notifications, install antivirus software to detect and remove the infection from your computer.

How to Clear the Browser from the Windows Defender Security Warning

Resetting your browser settings is one of the first steps to eliminate the Windows Defender security warning scam. Here are the instructions for different browsers:

Remove the Windows Defender Scam from Chrome

Click on the three vertical … in the top right corner and Select Settings.
Select Reset and Clean up and Restore settings to their originals defaults.
Click Reset settings.

Remove the Windows Defender Scam from Firefox

Click the three-line icon in the upper right corner and select Help
Select More Troubleshooting Information
Select Refresh Firefox… then Refresh Firefox

Remove the Windows Defender Scam from Microsoft Edge

Press the three dots
Select Settings
Click Reset Settings, then Click Restore settings to their default vaues.

Remove the Windows Defender Scam from Safari

Open the terminal (press ⌘ Command + Spacebar to open the spotlight, type “terminal” and press “Enter”)
Enter these commands one at a time. Execute each command by pressing “Enter” after copying it into the terminal:

rm -Rf ~/Library/Caches/Metadata/Safari; rm -Rf ~/Library/Caches/com.apple.Safari; rm -Rf ~/Library/Caches/com.apple.WebKit.PluginProcess; rm -Rf ~/Library/Preferences/Apple\ -\ Safari\ -\ Safari\ Extensions\ Gallery rm -Rf ~/Library/Preferences/com.apple.Safari.LSSharedFileList.plist; rm -Rf ~/Library/Preferences/com.apple.Safari.RSS.plist; rm -Rf ~/Library/Preferences/com.apple.Safari.plist; rm -Rf ~/Library/Preferences/com.apple.WebFoundation.plist; rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginHost.plist; rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginProcess.plist; rm -Rf ~/Library/PubSub/Database; rm -Rf ~/Library/Safari/*; rm -Rf ~/Library/Safari/Bookmarks.plist; rm -Rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState;

What to Do if the Problem Persists?

If you have followed all the steps above and still see this warning every time you use a web browser, it is a clear sign that malware is still on your computer. You can use professional antimalware software such as GridinSoft Anti-Malware to scan your computer and remove any viruses or malware found. After taking such drastic measures, the antimalware software will remove and neutralize more dangerous cyber threats that could cause severe damage to your files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download Anti-Malware

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

How to Avoid Scams like the Windows Defender Security Warning

As mentioned earlier, the Windows Defender security warning scam is not the only threat you may encounter on your computer. There is much more severe malware on the Internet, and as a prudent user, you should take every precaution to avoid them. Here are some basic tips:

Ensure your OS and apps are up to date
Only download apps from official websites
Avoid clicking on random links without knowing where they will take you
Don’t download suspicious apps
Do not open attachments in suspicious emails
Use an ad blocker to block malicious ads
Use advanced antivirus software

Your computer should now be clean and free of Windows Defender scams. To prevent this from happening again, practice good online hygiene to protect yourself from fraud. Perform regular scans and use malware protection to stop threats before they happen.

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.

Trojan:Win32/Vigorf.A

Stephanie Adlam — Tue, 18 Jun 2024 21:53:27 +0000

Trojan:Win32/Vigorf.A is a generic detection of Microsoft Defender. This detection commonly identifies a running loader malware that may deal significant harm to the system. In this article, let’s find out how dangerous Vigorf.A is and how to get rid of it.

What is Trojan:Win32/Vigorf.A?

Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system access, and further malware distribution. As my detailed analysis has shown, Trojan:Win32/Vigorf.A uses various methods to bypass antivirus programs and operating system protection.

Usually, this malware downloads or installs other malicious programs on the computer. It drops its files and modifies system settings and other configuration files to gain persistence. Additionally, it connects to remote servers to send collected information and download additional malicious programs.

Is Trojan:Win32/Vigorf.A False Positive?

False positives with the Vigorf.A name is not a common occurrence. There are only a few cases discussed online, and all of them are related to the software that borders on malicious.

User complaints about false positive detection

The most common case here is game modifiers or patches. Such tools modify game memory or files to unlock features and can be misidentified as Trojan:Win32/Vigorf.A because of their ability to intrude into other programs’ memory. Similar tools and scripts used by software developers can be misidentified as malicious. While being potentially safe and legitimate, it is important to treat such software with care.

Vigorf.A Trojan Analysis

Studying the behavior of Trojan:Win32/Vigorf.A sample on an infected system showed me how elaborate these threats can be. Not only does the Trojan collect personal user data, but it also modifies system settings, creating additional vulnerabilities and opening the door for other malware.

Methods of Distribution

Trojan:Win32/Vigorf.A is often spread via spam e-mail campaigns containing malicious attachments or links. Once the user opens the attachment or clicks on the link, the Trojan is installed on their computer, either directly or through the loading script. Despite being used for malware spreading for years now, email spam remains a particularly potent and effective spreading option.

Malvertising is another tricky method that has been used to spread Trojan:Win32/Vigorf.A as far as my research goes. This malware exploits ad networks to display malicious ads in search engine results. Such ads redirect users to malicious duplicates of familiar sites or directly download malware onto their devices.

Fake LibreOffice ad that tries to mimic the original site’s URL

In addition, Vigorf.A is often hidden in packages containing illegal or pirated software. When I download and install such programs, the trojan is also installed on my computer. Often such software is offering for free, which makes it attractive, but it ends up costing more because of the damage the trojan causes.

Launch, Gaining Persistence and Data Collection

After launching in the system, Trojan:Win32/Vigorf.A adds itself to autorun by taking advantage of the Startup folder. This allows it to start automatically every time the system starts. In my case, I found a strange shortcut adxjcv4.lnk, which turned out to be associated with the trojan.

APPDATA%\microsoft\windows\start menu\programs\startup\_adxjcv4_.lnk

Alternatively, Vigorf.A may use the DLL hijacking technique. This happens particularly often when malware arrives with the loader, which unpacks the sample and handles the launch. The way to run the malware is nothing unusual – a PowerShell command that runs the malware DLL through the call to rundll32.exe.

rundll32.exe %windir%\system32\advpack.dll

After the launch, malware checks the system location by its IP address and switches to collecting the system data. This gives Vigorf.A the ability to distinguish that particular system from others. This can as well be used for more targeted attacks or to get a rather exhausting set of victims’ system info to analyze. Malware particularly checks the values of the following keys to get info about programs present on the PC:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and \=\Count

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} and \=\Count

By checking the next keys, Trojan:Win32/Vigorf.A learns about the devices and networks to which the computer connects and can identify the most vulnerable points for further attacks. This information helps malware masters to deploy malware in a more relevant manner, and get extra profit from systems related to a network.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache and \=\Intranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

C2 Communications and Malware Delivery

After collecting all this data, Vigorf encrypts and >sends it to the command server using HTTP POST request. The list of command servers was predefined for the samples I’ve worked with, but this may differ in other cases. Server, in turn, responds with a blob of data that instructs malware for further actions. Obviously for dropper malware, payload delivery is one of the most probable instructions it can get.

To instruct the dropper for malware delivery, C2 sends the URLs Vigorf should connect and download it from. It sends HTTP GET commands to the following URLs:

http[:]//185.117.75.198/fiscal/1 http[:]//194.163.43.166/08/st/m.zip

Files downloaded from these addresses were disguised as ordinary documents or incomplete files, making them difficult to detect and analyze. Once Vigorf finishes downloading the malware, it uses system utilities such as wuapp.exe to launch it.

"C:\Windows\System32\wuapp.exe" -c "C:\ProgramData\sHrhJDaCBu\cfg"

How to Remove Trojan:Win32/Vigorf.A?

To remove Trojan:Win32/Vigorf.A, I recommend using GridinSoft Anti-Malware. It will detect and remove Vigorf.A, as well as find other malicious programs downloaded by it. This Anti-Malware can also work with Windows Defender to create an additional line of defense.

Download Anti-Malware

I would also recommend keeping the system and all programs updated to the latest versions to eliminate vulnerabilities that malware can exploit.

The post Trojan:Win32/Vigorf.A appeared first on Gridinsoft Blog.

Antimalware Service Executable

Stephanie Adlam — Fri, 14 Jun 2024 18:12:38 +0000

Antimalware Service Executable is a system process that belongs to Windows Defender. Usually, it does not cause any issues, and the user does not notice it. In some cases, it can consume an abnormal amount of resources. I have compiled some practical solutions to address this problem in this article.

What is Antimalware Service Executable?

The Antimalware Service Executable is a core process of Microsoft Windows Defender, the built-in antivirus software in Windows. This process, also known as MsMpEng.exe, runs in the background to provide real-time protection against malware and other security threats. However, some Internet users complain that this process consumes an excessive amount of resources at times, which causes discomfort when using the PC.

There are several factors responsible for this. First, Defender periodically performs a full scanning, analyzing every file in the system. Such a process requires a lot of resources, so some devices start to slow down. Second, like most modern anti-malware solutions, Defender uses heuristic detection to check certain elements with special attention, potentially causing temporary system slowdowns.

Although all anti-malware solutions consume a significant amount of resources during a scanning process, none of the third-party ones have an annoying habit of starting the scan sporadically. Also, due to certain bugs, it may simply hang up on a certain point of the scanning process, keeping the resource consumption high. Let me explain how to fix such a behavior.

Resolve of Antimalware Service Executable High CPU Consumption

There are several ways to solve the problem of excessive resource consumption by Defender. They are not complicated, but they do require some action from the user:

Disable Scheduled Scans in Task Scheduler

The main reason for Antimalware Service Executable high CPU consumption is that Defender runs a full scan, regardless of whether the user is actively using the device or the system is idling. The solution is to set a specific time for Defender to perform a full system scan. This is something like Active Hours in the Windows Update section, which does not apply to Defender’s activity for some reason. To change the scan schedule, press Start, type “Task Scheduler”, and open it.

In the left pane, click Task Scheduler Library, then navigate to Library→Microsoft→Windows→Windows Defender. You will see Windows Defender Scheduled Scan, Windows Defender Cache Maintenance, Windows Defender Cleanup, and Windows Defender Verification in the middle pane as you open the Windows Defender folder. All these four services need to undergo the following procedure.

We will start with Windows Defender Scheduled Scan. Double-click on it, click the Conditions tab, and uncheck all options to clear scheduled scans.

Now, you must create a trigger to call a task at a certain time. To do this, go to the “Triggers” section and click “New…”.

Select a time that will not interfere with your activities, choose “Daily”, and set how often Defender will perform the scan (by default, it is recurring every day), then click “OK”. If you do not need the scans to happen at all, you can just keep this parameter at “Disabled”. Repeat these actions for each item.

Exclude MsMpEng.exe from Scans

One particular place where Microsoft Defender may have issues is while scanning its own files. The ultimate privileges of this program obviously conflict with themselves when it comes to scanning its files. To fix this silly issue, open Task Manager and find Antimalware Service Executable in the processes list. Right-click on it and select Open File Location in the drop-down menu.

In the opened window, you need to copy the full path of the Antimalware Service Executable. Click on the address bar with the right mouse button and press “Copy path”.

Now launch Windows Defender. You can use the Start Menu search bar to input Windows Defender right there and open the first found item.

In the opened Windows Defender Security Center, go to “Virus & threat protection” → Virus & threat protection settings.

Scroll the settings down to Exclusions and click “Add or Remove exclusions”. On the opened screen, press Add and Exclusion, select Folder, and paste the path from your clipboard. Click Open, and Windows Defender will not scan the folder where Antimalware Service Executable is located.

Disabling of the On-run Protection

This method is the quickest and a temporary solution, as it disables its background protection until the next system startup. Open Defender, click “Virus & threat protection”, and select “Manage settings”. Switch all the toggles to the “Off” position.

Completely Disable Windows Defender

I strongly advise against completely disabling Defender, as it puts your system at risk. However, if you accept all the risks, follow the instructions carefully, as changing various registry settings can lead to serious system problems.

In the opened Registry Editor, take the following path using the navigation pane on the left side of the window: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

Right-click the right pane of the Registry Editor window and, in the dropdown menu, select: New → DWORD (32-bit) Value. Name this entry DisableAntiSpyware. Double-click the entry and set its value to 1.

Use an Alternative Solution

If you still decide to stop using Windows Defender, you can use alternative solutions from third-party developers. GridinSoft Anti-Malware is an excellent alternative to the standard Windows solution. Moreover, it has several advantages, including optimization—the application consumes a moderate amount of resources during a full scan, allowing for comfortable use even on devices with less powerful hardware.

Additionally, GridinSoft Anti-Malware includes an Internet Security module, which blocks phishing and potentially unsafe websites. Furthermore, using this tool does not require disabling Windows Defender, allowing you to use both solutions simultaneously, complementing each other.

The post Antimalware Service Executable appeared first on Gridinsoft Blog.

Usermode Font Driver Host (fontdrvhost.exe)

Stephanie Adlam — Thu, 13 Jun 2024 09:14:41 +0000

The Usermode Font Driver Host process is an important part of the Windows operating system. It may raise questions among users due to its high consumption of resources such as CPU and memory. Let’s find out what this process is and whether you can do without it.

What is Usermode Font Driver Host?

The Usermode Font Driver Host process, as its name suggests, is responsible for handling fonts in user mode, which helps the system display text in various applications and interfaces. The running process is usually located in the standard system directory C:\Windows\System32\fontdrvhost.exe. This process also handles requests from applications and programs that require font rendering services. Among the latter is everything from basic text display to complex font formatting in documents and web pages.

In recent Windows updates, when you try to find the fontdrvhost.exe process in Task Manager, you will see that it is running under the user name “UMFD-0”. This is an account for the User Mode Driver Framework, which restricts the process’s access to only working with fonts. This provides the security that recent Windows updates have brought. The UMFD-0 account ensures that the process does not extend to activities other than font manipulation.

Usermode Font Driver Host High CPU and Memory Troubleshooting

High consumption of CPU and memory resources by the Usermode Font Driver Host process may occur in several cases. First one is you are working with graphic editors, designing programs or loading a large number of non-standard fonts.

Alternatively, increased consumption also can be caused by incorrect operation or failure in the Windows font management system. When corrupted or incorrectly created fonts are installed in the system, Usermode Font Driver Host may consume an excessive amount of resources trying to process or fix them.

Problems with Usermode Font Driver Host may be related to a corrupted UMFD-0 image. There are a couple of ways to solve this problem – through running a system files’ scan, or by updating Windows. Let’s start with the least invasive one.

Step 1: Run System File Checker

Windows carries quite a few system recovery utilities that will be helpful with pretty much any situation. In the case of file corruption, a tool called System File Checker will be on hand.

Open a command prompt as administrator:
Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.
Type the next command “sfc/scannow” and press Enter.
Wait for the scanning process to complete and errors to be corrected.
Restart your computer after the scan is complete.

If System File Checker does not solve the problem, it may indicate deeper system irregularities. In such a case, it is recommended to update Windows to replace and update system files, which may fix existing system problems.

Step 2: Update Windows

Windows Update is an effective solution to the problem of high resource consumption caused by incompatibility or a faulty system module. Each Windows updates contain bug fixes and performance improvements that can solve existing resource consumption problems. Developers constantly analyze user reports and diagnostic data to optimize system performance. To check for updates, press the Windows key + I and choose “Windows Update.” If any updates are available, download and install them.

Step 3: Removing damaged fonts

As I wrote above, the fontdrvhost.exe may consume an excessive amount of resources to process more corrupted fonts. Therefore, remove fonts that have been installed recently or may be corrupted.

To do this, go to Control Panel > Fonts.

Then, remove fonts that fall under the following description:

The font is not compatible with your encoding language
Downloaded from unreliable sources
Font is repeated several times
Not used for a long time

Can I Stop or Disable Usermode Font Driver Host?

The Usermode Font Driver Host is a crucial component in the smooth operation of many Windows applications, due to its integral role in managing font rendering processes within user sessions. Given its importance, it’s clear that this system process should not be tampered with, as it is not harmful in nature. If you’re experiencing unusual behavior related to the fontdrvhost.exe process or any system instability, it might not be the process itself but rather an indication of other underlying issues—possibly malware.

Therefore, it would be wise to conduct a comprehensive system scan for viruses or malware to ensure your system’s integrity. A reliable tool for this task is Gridinsoft Anti-Malware. This software is designed to detect and remove malware, offering a robust defense against potential threats that could masquerade as legitimate system processes or exploit them to carry out malicious activities. Regular scanning with such a tool can help maintain your system’s health and safeguard against security threats.

Download Anti-Malware

The post Usermode Font Driver Host (fontdrvhost.exe) appeared first on Gridinsoft Blog.

AcroTray.exe

Stephanie Adlam — Thu, 13 Jun 2024 05:56:07 +0000

The Acrotray.exe process is one of the important components provided by Adobe Systems. This process is associated with Adobe Acrobat software and often starts automatically when the Windows operating system starts. However, not every user knows what this process is, what it is for and whether it is safe. Let’s do a complete technical analysis of this process, its functionality, and security.

AcroTray.exe – What is it?

AcroTray.exe is an executable file that is part of the Adobe Acrobat software. This process supports PDF-related functions such as document conversion, creation, and editing directly from the desktop without having to open the Adobe Acrobat program itself. In addition, AcroTray.exe helps manage licenses and updates for Adobe products. That function is critical for enterprise users who must have all the latter up-to-date.

WIndows start-up configuration

The Acrotray.exe process usually starts at system startup and runs in the background, providing quick access to Adobe features. This may include integration with various applications such as Microsoft Office, where Acrotray.exe acts as an intermediate layer that facilitates the export and import of PDF documents. Technically, the process is a safe and important element for users of Adobe products, but its presence constantly in active processes may raise questions about the appropriateness of its use.

Main Functionalities:

The ability to convert documents to PDF format from various applications such as Microsoft Office (Word, Excel, and others) without opening Adobe Acrobat.
Help with managing the printing of PDF documents. Participates in setting up print options and selecting options right before printing. This improves the quality and accuracy of printed documents.
Automated update checks for Adobe Acrobat and other Adobe components.
Management for various plug-ins and add-ons for Adobe Acrobat, ensuring that they work properly and interact with the main program.
Informer functions, providing notifications of new features, offers, or changes to Adobe services.

Acrotray.exe is Missing – Fixing Guide

The problem with the missing Acrotray.exe file can be a major nuisance for Adobe Acrobat and Adobe Reader users. The absence of this file can cause the program to not work properly, errors during startup or while performing certain functions such as viewing PDF documents or printing them. Here are a few steps you can take to resolve this issue:

Program Recovery can via Control Panel help you recover missing files, including Acrotray.exe.

Close the Adobe Acrobat program and all Acrobat processes from Task Manager.
Then open “Control Panel” → “Programs” → “Programs and Features” → “Uninstall a program” and click “Adobe Acrobat DC”.
Press “Change” and choose “Repair” in the dialog box.
After the program repair is complete, restart your PC.

In case repair did not help, reinstall the program. For this, uninstall the program in the same Control Panel and restart the computer. Install Adobe Acrobat downloaded from the official website.

AcroTray.exe – Is it a Virus?

As I wrote above, AcroTray.exe is a completely legitimate file. Still, like with any other executable file, its name may be taken by a virus or other malware. To make sure that AcroTray.exe is safe, you should check its location. The correct path to the file should be in the folder:

C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroTray.exe
– for modern versions of Adobe Acrobat

C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\AcroTray.exe
– for older versions of Adobe Acrobat (11 and under)

Another way to understand whether the Acrotray process is legit is checking the location and digital signature of the file.

To authenticate AcroTray.exe, you can use Task Manager:

To do this, press the key combination: Ctrl+Shift+Esc

In the list of processes, find the process with the name AcroTray.exe. Right-click on the process of interest in the list. Select “Open file location“. This action will automatically open the folder where the process executable is located.

Right-click on the AcroTray.exe file and select “Properties“.

Click the “Details” tab and check the file information such as description, file size and digital signature. Legitimate Adobe files are usually digitally signed by Adobe Systems Incorporated.

Attackers may use the name AcroTray to disguise their malware – a common trick for backdoors and coin miner malware. If you find the AcroTray.exe file in an unusual location, such as AppData\Roaming or AppData\Temp folder, or its behavior is suspicious (such as excessive use of system resources), it may be a sign of infection.

Scan your system for viruses

On the other hand, if you want to completely uninstall AcroTray.exe, you can uninstall the entire Adobe Acrobat package if you don’t need it. To do this, open “Control Panel” → “Programs and Features“, find Adobe Acrobat and select “Uninstall“.

Nevertheless, to make sure that AcroTray.exe file is safe, it is recommended to perform an antivirus scan. One reliable tool for this purpose is Gridinsoft Anti-Malware. This antivirus specializes in detecting and eliminating various types of malware, including those that can hide under the guise of legitimate system files.

Download Anti-Malware

The post AcroTray.exe appeared first on Gridinsoft Blog.

Windows Defender Security Warning

Stephanie Adlam — Fri, 07 Jun 2024 16:43:55 +0000

“Windows Defender Security Warning” is a scam website that falsely claims your PC is infected and urges you to contact Microsoft tech support. This scam is part of a larger scheme aimed at deploying unwanted software on users’ devices and extracting money for resolving nonexistent issues. It has been around for some time and targets users worldwide.

Tech support scams represent a particularly notorious type of online fraud, utilizing various tactics to coerce people into making a phone call to a fake support service. The Windows Defender Security Warning scam is one of the most enduring and widespread methods used in these schemes. In this article, I will describe what this scam is, how it operates, and how you can avoid falling victim to it in the future.

What is Windows Defender Security Warning?

As mentioned earlier, the Windows Defender Security Warning typically appears as a browser window after clicking a link on a certain website. It displays numerous smaller windows, which are actually non-interactive images. These fake alerts inform the user that their PC is blocked “for security reasons”. In the background, a robotic voice claims the following:

“Important security message! Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus. To unlock the computer please call the support immediately. Please do not attempt to shut down or restart your computer. That will lead to data loss and identity theft.”

Clicking on any of the site elements – which in fairness may happen randomly – results in the website switching to a full screen, with no obvious way out. Escape button won’t work, and roaming the mouse around the screen won’t help out either. If the victim is not aware of combinations like Ctrl+F4, Alt+Tab or Ctrl+Shift+Esc, it may look like a trap. That, along with the sound alert, is what should push the user towards following the scam’s guidance and call the support.

Typical example of a Windows Defender Security Warning page

As you can see, this is just a scam designed to capitalize on the fear of individuals who may have less knowledge about computer security or computers in general. However, let’s take a closer look at how this scam operates—there are quite a few interesting tactics involved.

Windows Defender Security Warning Mechanism Explained

The scam begins by luring users to the Windows Defender Security Warning page. To achieve this, scammers often purchase link placements on dubious websites, such as those hosting pirated movies. A user clicking on a play button or attempting to skip an ad in the video player may be redirected to the scam site.

The domains hosting this scam can vary widely, but they typically include some mention of Microsoft in the URL. In some egregious instances, fraudsters have even managed to secure hosting from Microsoft themselves. Below, you can find a list of sites used in this scam campaign:

digitalcompletes[.]online	spicyhotrecipes[.]site	rickyhousing[.]xyz
gardenhub[.]site	morningh[.]shop	robortcleaning[.]site
jadeneal[.]autos	programmaticcrooks[.]online	elhiuwf[.]cf
hitorikawag[.]top	adultfriend[.]store	yeddt[.]jet
jonwirch[.]com	aweqaw12d[.]tk	helpadvance[.]ga
333waxonet[.]ml	noblevox[.]com	risingsolutions[.]online
pixua[.]com	adultfriend[.]site	giveserendipity[.]website
connectflash[.]ml	ondigitalocean[.]app	dothrakiz[.]com
jbvhjcbjzvhxvhzcjgzvgcczgh29[.]ml	digitalflawless[.]ga	todogallina[.]es
markmoisturise[.]online	enterthecode[.]org	ebonygirlslive[.]com

Once the user lands on the scam site, it typically goes fullscreen and starts playing the previously mentioned audio message. The main goal of this message is to coerce the victim into contacting “tech support” using the phone number displayed on the site, which is mentioned multiple times. The phone call marks the final phase of the scam.

The so-called support manager begins by instructing the user to download sketchy software purported to resolve the issue—without explaining how the software addresses identity compromise. Throughout the life of this scam, various fraudulent programs have been offered, including SystemKeeper, Driver Updater, and Wise System Mechanic. As expected, all these are pseudo-effective unwanted programs that further prompt users to pay for fixing a myriad of non-existent problems.

What is the purpose of all this, you might ask? Money is the short and universal answer. The fraudsters posing as tech support managers receive commissions for each user they persuade to download the software. Meanwhile, the developers of this software profit from users purchasing licenses. Considering how long this scam has been active, the monetary turnover is quite substantial.

How to Protect Against Windows Defender Security Warning Scam?

The primary advice for protecting against the Windows Defender Security Warning scam and similar schemes is to avoid websites that initiate these scams. As mentioned, the majority of redirects to scam websites originate from pages hosting pirated content. This should be another reason to steer clear of such sites, beyond the fact that content piracy is illegal. Additionally, pirated software or games pose a significant security risk.

Learn how genuine notifications from security software should look, and how they should not. Neither Microsoft Defender nor other antivirus/antimalware programs issue security notifications through web browsers. None of them will prompt you to call support while appearing to block your computer. And, importantly, no legitimate tech support from any security vendor will ever advise you to install questionable third-party software.

Use reliable antivirus software with network protection. To prevent scam pages from opening and to ensure your system remains secure regardless of any fake alerts, a robust antivirus solution is essential. GridinSoft Anti-Malware offers excellent malware removal capabilities and network protection, backed by a multi-component detection system and regular updates.

Download Anti-Malware

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.

Program:Win32/Uwamson.A!ml

Stephanie Adlam — Thu, 16 May 2024 20:27:49 +0000

Win32/Uwamson.A!ml is a specific name of a Microsoft Defender detection. This designation indicates that the suspicious program or file scanned by the antivirus has characteristics of malware. That is, the program has characteristics that are typical of viruses and other malware. Moreover, it can often be a false positive detection. Let’s look at it in more detail for this purpose.

What is Win32/Uwamson.A!ml?

Program:Win32/Uwamson.A!ml is a generic detection name assigned by Microsoft Defender to suspicious programs running on your system. This detection appears because the affected program or file may be associated with a malicious program. It is often distributed with software that is designed to repair the system. Installed in the background this virus can gain remote access to the computer and sensitive information. This may include attempts to change system settings, stealthy code execution, or attempts to contact remote servers without the user’s permission.

Win32/Uwamson.A!ml is often found in legitimate miners such as NiceHash because they utilize your computer’s high performance to mine cryptocurrency. Some of them may be compromised or used without the user’s consent – that may be the reason why Defender is not happy about them. However, it is worth remembering that not all miners are safe and some of them may contain hidden malicious components.

Is Win32/Uwamson.A!ml False positive Detection?

It is possible that antivirus software mistakenly detects programs as Win32/Uwamson.A!ml. In fact, they may be completely safe and do not pose a threat. This can happen, for example, if a program has some characteristics similar to malware, but is actually legitimate and safe.

Also, this specific detection may be false due to the presence of the “!ml” tag at the end. This tag indicates that the file was detected by the AI module, which uses machine learning to analyze it. Although this is a modern and effective way to combat new and unknown threats, it can sometimes generate false positives if the detections are not confirmed by static signatures.

How to remove Win32/Uwamson.A!ml from my PC?

To remove Win32/Uwamson.A!ml, I recommend using GridinSoft Anti-malware. Malware of this type can cause unobtainable processes on your PC. Therefore, it is best to use advanced software to remove it. GridinSoft Anti-Malware is able to thoroughly scan every part of your system and even destroy the most stealthy malware.

The post Program:Win32/Uwamson.A!ml appeared first on Gridinsoft Blog.