Fake IT help websites promote harmful PowerShell programmes as Windows patches

Fake IT support websites promote malicious PowerShell \"fixes\" for common Windows errors, such as the 0x80070643 error, to infect devices with information-stealing malware.

First discovered by eSentire's Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, threat participants create fake videos to promote the 0x80070643 error that has been dealing with millions of Windows users since January.

In the patch in January 2024, Microsoft released a secure update to repair Bitlocker encrypted bypass defects. After installing the update, Windows users around the world reported getting "0x80070643 - ERROR_INSTALL_FAILURE" when trying to install the update, and no matter how hard they tried, the problem wouldn't go away.

"There were some problems installing the update, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643), \"Reading Windows Update error.

It turns out that Windows Update displays an incorrect error message because it should display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems where the Windows Recovery Environment (WinRE) partition is too small to install the update. Microsoft explained that the new security update requires 250 MB of free space on the WinRE partition. If not, you need to extend the partition yourself.

However, for those where WinRE is not the last partition on the drive, extending the WinRE partition can be difficult, if not impossible. As a result, many people are unable to install security updates and get the error message 0x80070643 every time they use Windows Update.

These bugs lead many frustrated Windows users to search for solutions online, allowing threat actors to take advantage of their search for fixes. Fake IT site advertises PowerShell fixes

According to eSentire, threat actors create a number of fake IT support sites designed to help users troubleshoot common Windows errors, focusing on error 0x80070643.

"In June 2024, eSentire's Threat Response Unit (TRU) observed an interesting case involving a Vidar Stealer infection initiated via a fake IT support website (Figure 1)," eSentire's report explained. "The infection started when the victim searched the web for solutions to a Windows Update error code."