Analysis of Recent Windows ‘MaaS’ Scams: Essential Information You Should Know

As phishing scams continue to evolve, the emergence of Malware as a Service (MaaS) specifically targeting Windows users highlights this trend. While Microsoft has taken measures to respond to these threats, the underlying scam remains active. Here’s a closer examination of how this sophisticated scam operates and what steps you can take to safeguard yourself.

Understanding the Malware as a Service Phishing Scam

Phishing scams typically leverage emails, text messages, pop-ups, or misleading websites to deceive users. A recent strategy identified by Microsoft Defender experts incorporates trusted applications to mislead individuals into installing malware, thereby complicating detection efforts.

In most cases, Windows is equipped to block such malware due to the absence of a valid security certificate. Here, an Extended Validation (EV) certificate plays a crucial role, assuring users of a brand’s legitimacy and protection against phishing attempts. However, scammers have devised a clever workaround.

They established a façade of legitimacy by creating TrustConnect Software PTY LTD, a dummy company. Using artificial intelligence, they fabricated a comprehensive business identity—including a website, positive reviews, and customer metrics. Successfully applying for an EV certificate, they effectively rendered their malware trustworthy in the eyes of users and systems alike.

This means that scammers legally acquired a valid EV certificate rather than resorting to theft or forgery. Consequently, any malware they distribute is instantly recognized as legitimate by Windows.

To verify an app’s certificate in Windows, simply right-click the executable file and navigate to Properties → Digital Signatures → Details → View Certificate.

Example of a valid EV certificate in Windows, using Brave as an example.

The situation escalates further as TrustConnect transitioned into a legitimate business, catering to underhanded entrepreneurs. They adopted a MaaS business model, offering subscriptions for as low as $300 per month in cryptocurrency to enable others to execute phishing attacks.

Users are targeted with emails containing PDF files, meeting invitations, and other seemingly harmless content that disguise malicious links. The links often prompt users to “update”applications like Adobe Acrobat or Zoom. Once users are tricked into clicking ‘Update, ’ they unknowingly install malware.

Common executable files such as adobereader.exe, trustconnectagent.exe, msteams.exe, zoomworkspace.clientsetup.exe, and invite.exe run smoothly without raising suspicions, as they carry valid EV signatures. This results in the malware creating folders within Program Files and launching at startup, similar to any normal application, complicating detection for even the most tech-savvy users.

Revocation of EV Certificate: A Limited Solution

One might assume revoking the EV certificate would effectively dismantle TrustConnect’s phishing operation, but the reality is more complicated. While this measure prevents any new malware from acquiring an EV certificate, it does not retroactively invalidate previously issued certificates.

As a result, any malware that had previously been certified continues to be regarded as legitimate by Windows. Consequently, users must take proactive steps to safeguard themselves. Although enterprise clients are prime targets, individual users should not view themselves as immune.

Additionally, security professionals have identified that the perpetrators behind TrustConnect are already developing another malware variant named DocConnect, which employs similar tactics.

Formatting: A Recommended Approach

Research indicates that attempts to eliminate the malware uncover even more advanced layers than initially presumed. TrustConnect’s malware installs various Remote Monitoring and Management (RMM) frameworks to maintain continuous access to compromised systems. Consequently, merely removing one framework is only a fraction of what is required.

For those affected, formatting your computer represents the most effective solution to ensure complete malware removal. It is vital to back up your files first; once you have reinstalled Windows, run a thorough antivirus scan on your backups before restoring them. Fortunately, because the malware masquerades as a Windows application, it is less likely linked to your documents or photos.

Choosing formatting options to remove malware as a service infection.

For business environments, it is advisable for IT administrators to prohibit users from executing software updates independently.

Caution Regarding App Updates from Links

TrustConnect is not alone in employing deceptive app updates for malware installation. The unique advantage they possessed was a valid certificate, making it harder for security solutions to detect their activities.

If you find yourself clicking on a link from a seemingly trustworthy source that prompts an app update, cease immediately. Refrain from proceeding with the update.

Instead, open the application independently and check for updates through its settings or help menu. For apps originally downloaded from the Microsoft Store, updates should also be obtained through the Store directly.

If no updates are available, you can be assured the link you encountered is malicious. Given that processes can frequently change, it’s wise to install new applications in a sandbox environment to assess their safety before fully integrating them.

Critical Thinking for Unexpected Links

The prevalence of phishing scams is unlikely to diminish. One of the most effective protective measures is to question unexpected links before engaging with them. Recently, I received an email that appeared to offer a car insurance rate survey. Despite the sender’s authenticity, I opted to navigate directly to my insurer’s website rather than clicking the link. It turned out to be a phishing attempt.

If you are uncertain about a link’s legitimacy, do not click. For any work-related communications, reach out to the supposed sender separately to verify. Prioritize safety over curiosity, and avoid replying to messages, as this merely engages the scammer and increases your risk.

With new phishing schemes emerging daily, and even infiltrating platforms like LinkedIn, it’s essential to stay informed and vigilant. While Malware as a Service presents a new layer of complexity, awareness and caution can empower users to elude these scams.

Source & Images