Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This SupportScam malware can prevent you from fully using your PC by displaying prompts to mislead you into contacting a fake tech support phone number to fix a fake problem on your computer. When you call the support number, you might be asked to pay money to the fake tech support perpetrator for the fake tech support service rendered.
This threat can arrive on your PC as part of a software bundle.
For more help on how to spot and stop this threat:
In Australia, you can use the ScamWatch website to report a scam.
When you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk.
In case you have already engaged with and paid for a fake support:
Apply all security updates as soon as they are available. Do a full scan to remove the threat.
Change your passwords.
Call your credit card provider to reverse the charges, if you have already paid.
Monitor anomalous logon activity. Block traffic to services that you would not normally access
Threat behavior
Installation
Upon execution, it drops the following files:
C:\Program Files\Power Update\fatalerror.exe
C:\Program Files\Power Update\sr60.bat
It also creates the following keys to ensure that it runs at every system startup:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "L" <varies> With data: "<Full path of original malware executeable varies>" such as C:\Program Files\Power Update\fatalerror.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: Shell With data: "<Full path of original malware executeable varies>" such as C:\Program Files\Power Update\fatalerror.exe
It then executes its batch file component, C:\Program Files\Power Update\sr60.bat that will open a url, (for example, http://lnk.direct/wPA) and shut down the system.
When the system has rebooted, a landing screen will appear asking for a product key and directs you to call a fake support number.
Analysis by Alden Pornasdoro
Prevention
If you receive an unsolicited email message or phone call that purports to be from Microsoft and requests that you send personal information or click links, ignore the message, or hang up the phone.
Be wary of downloading software that is not hosted in their respective or official websites. Some of them might be bundled with malware like SupportScam without the author’s knowledge.
Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information or fix your computer. Treat all unsolicited phone calls with skepticism. Do not provide any personal information.
The following can indicate that you have this threat on your PC:
You see the following fake screens asking you to contact fake tech support numbers:
You see the following registry modifications or something similar:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "L" <varies> With data: "<Full path of original malware executeable varies>" such as C:\Program Files\Power Update\fatalerror.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "L" <varies> With data: "<Full path of original malware executeable varies>" such as C:\Program Files\Power Update\fatalerror.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: Shell With data: "<Full path of original malware executeable varies>" such as C:\Program Files\Power Update\fatalerror.exe