New tech support scam launches communication or phone call app

Microsoft Malware Protection Center - Mon, 11/20/2017 - 8:59am

A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to call a fake tech support scam hotline.


Figure 1. Tech support scam page launching the default communication app with the fake hotline number 001-844-441-4490 ready to be dialed

Most tech support scams rely on social engineering: They use fake error messages to trick users into calling hotlines and paying for unnecessary tech support services that supposedly fix contrived device, platform, or software problems.

To create the impression of a “problem”, tech support scam websites attempt to lock the browser. Some do this using pop-up or dialog loops—they embed malicious code in web pages that cause browsers to continuously display alerts. When the user dismisses an alert, the malicious code invokes another one, essentially locking the browser session.

Most browsers, including Microsoft Edge and Internet Explorer, have released a solution for this behavior, allowing users to stop websites from serving dialog pop-ups. Browsers now can also be closed even with an active dialog box.

Figure 2. Microsoft Edge prompting the user to stop a pop-up dialog loop

This streamlined tech support scam forgoes the use of dialog boxes and instead contains code that has a click-to-call link that it automatically clicks.

Figure 3. Click-to-call code in tech support scam website

When clicked, the link opens the default communication or phone call app, prompting the user to call the fake technical support hotline already prepopulated in the app.

Tech support scam website targets Apple users

With click-to-call links, tech support scams do not have to be as elaborate as many current tech support scam websites. They don’t have to rely on scary messages or pose as legitimate error messages to convince victims to call the phone number.



Figure 4. Recent tech support scam websites

Instead, scam sites can be very simple, with just a fake hotline number and a simple message like “We’re here to help”, as is used by the actual scam page below.

Figure 5. Tech support scam website before the communication app is launched

Although the page is simple, the scam is aided by an audio file that automatically plays as the website is displayed. This is a common technique used by the Techbrolo family of support scam script malware. The audio message in this new tech support scam website says:

Critical alert from Apple support. Your mac has alerted us that your system is infected with viruses, spywares, and pornwares. These viruses are sending your credit card details, Facebook logins, and personal emails to hackers remotely. Please call us immediately on the toll-free number listed so that our support engineers can walk you through the removal process over the phone. If you close this window before calling us, we will be forced to disable and suspend your Mac device to prevent further damage to our network. Error number 268D3.

Click-to-call optimized for mobile phones

The audio message is characteristic of tech support scams in its use of scare tactics. However, this technique seems to be optimized for mobile phones. The website uses responsive design, and the click-to-call can directly launch the phone function on smart phones.

Figure 6. Tech support scam website launches the phone call app on a mobile phone

This goes to show that the threat of tech support scams affects users of various platforms, devices, and software.

Tech support scam template

Tech support scams heavily use templates so that they can reuse websites to launch campaigns using multiple hotline numbers. Based on our tracking of tech support scams campaigns and methods, we know that scammers frequently change the phone numbers they use. In the August-September timeframe, for example, 33% of tech support scam numbers were used in campaigns that lasted less than a day.

The hotline number on a tech support scam template can be altered simply by swapping out the phone number set as parameter in the URL. The phone number in the URL is displayed in the fake error message on the page and/or the dialog boxes. Most tech support scam templates we’ve seen have a default phone number that is displayed when there is no phone number in the parameter.

Figure 7. A sample tech support scam template used with several phone numbers, including 08081011552, 1800-235-661, 1-833-336-8633, and 1-866-389-1479, among others

The new tech support scam website also uses this method. However, unlike other scam sites, it doesn’t have a default number.

Figure 8. The tech support scam with click-to-call link with no phone number

As of this writing, we’re not seeing widespread campaigns using this new and emerging tech support scam technique. But because the website accepts URL parameters, we can assume it is being sold as a service in the cybercriminal underground. We did find that the website doesn’t validate the parameters, so technically any number can be passed as the phone number, and it can be automatically used by this tech support scam site.

Microsoft solutions for tech support scams

We have been tracking tech support scams, and the click-to-call technique is just the latest innovation from scammers. Unfortunately, this is probably not the last we’ve seen of these threats.

However, at the core, tech support scams are a social engineering attack. Legitimate error and warning messages don’t include a phone number. On the other hand, legitimate technical support websites don’t use scary error messages to convince users to call. In this example, users can avoid being scammed simply by not proceeding with the call. In general, if a site automatically launches your calling app, it is likely malicious. Don’t press Send—you might end up being charged for calls or you might fall victim to a bigger scam once you talk to the criminals behind the scam site.

To help Windows 10 users stay safe from tech support scams, Microsoft Edge blocks tech support scam websites. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block tech support scams and other malicious websites, including phishing sites and sites that host malicious downloads.

Windows Defender Antivirus detects and blocks tech support scam malware and other threats. It leverages protection from the cloud, helping ensure customers are protected from the latest threats in real-time.



Jonathan San Jose
Windows Defender Research team




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Categories: Microsoft

#AVGater vulnerability does not affect Windows Defender Antivirus

Microsoft Malware Protection Center - Tue, 11/14/2017 - 12:31am

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus is not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Windows Defender Antivirus has never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center


Categories: Microsoft

Detecting reflective DLL loading with Windows Defender ATP

Microsoft Malware Protection Center - Mon, 11/13/2017 - 8:54am

Today's attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic cross-process migration or advanced techniques like atom bombing and process hollowing to avoid detection.

Reflective Dynamic-Link Library (DLL) loading, which can load a DLL into a process memory without using the Windows loader, is another method used by attackers.

In-memory DLL loading was first described in 2004 by Skape and JT, who illustrated how one can patch the Windows loader to load DLLs from memory instead of from disk. In 2008, Stephen Fewer of Harmony Security introduced the reflective DLL loading process that loads a DLL into a process without being registered with the process. Modern attacks now use this technique to avoid detection.

Reflective DLL loading isn’t trivial—it requires writing the DLL into memory and then resolving its imports and/or relocating it. To reflectively load DLLs, one needs to author one’s own custom loader.

However, attackers are still motivated to not use the Windows loader, as most legitimate applications would, for two reasons:

  1. Unlike when using the Windows loader (which is invoked by calling the LoadLibrary function), reflectively loading a DLL doesn’t require the DLL to reside on disk. As such, an attacker can exploit a process, map the DLL into memory, and then reflectively load DLL without first saving on the disk.
  2. Because it’s not saved on the disk, a library that is loaded this way may not be readily visible without forensic analysis (e.g., inspecting whether executable memory has content resembling executable code).
Instrumentation and detection

A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading.

In Windows 10 Creators Update, we instrumented function calls related to procuring executable memory, namely VirtualAlloc and VirtualProtect, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP). Based on this instrumentation, we’ve built a model that detects reflective DLL loading in a broad range of high-risk processes, for example, browsers and productivity software.

The model takes a two-pronged approach, as illustrated in Figure 1:

  1. First, the model learns about the normal allocations of a process. As a simplified example, we observe that a process like Winword.exe allocates page-aligned executable memory of size 4,000 and particular execution characteristics. Only a select few threads within the Winword process allocate memory in this way.
  2. Second, we find that a process associated with malicious activity (e.g., executing a malicious macro or exploit) allocates executable memory that deviates from the normal behavior.

Figure 1. Memory allocations observed by a process running normally vs. allocations observed during malicious activity

This model shows that we can use memory events as the primary signal for detecting reflective DLL loading. In our real model, we incorporate a broad set of other features, such as allocation size, allocation history, thread information, allocation flags, etc. We also consider the fact that application behavior varies greatly because of other factors like plugins, so we add other behavioral signals like network connection behavior to increase the effectiveness of our detection.

Detecting reflective DLL Loading

Let’s show how Windows Defender ATP can detect reflective DLL loading used with a common technique in modern threats: social engineering. In this attack, the target victim opens a Microsoft Word document from a file share. The victim is tricked into running a macro like the code shown in Figure 2. (Note: A variety of mechanisms allow customers to mitigate this kind attack at the onset; in addition, several upcoming Office security features further protect from this attack.)

Figure 2. Malicious macro

When the macro code runs, the Microsoft Word process reaches out to the command-and-control (C&C) server specified by the attacker, and receives the content of the DLL to be reflectively loaded. Once the DLL is reflectively loaded, it connects to the C&C and provides command line access to the victim machine.

Note that the DLL is not part of the original document and does not ever touch the disk. Other than the initial document with the small macro snippet, the rest of the attack happens in memory. Memory forensics reveals that there are several larger RWX sections mapped into the Microsoft Word process without a corresponding DLL, as shown in Figure 3. These are the memory sections where the reflectively loaded DLL resides.

Figure 3. Large RWX memory sections in Microsoft Word process upon opening malicious document and executing malicious macro

Windows Defender ATP identifies the memory allocations as abnormal and raises an alert, as shown in Figure 4. As you can see (Figure 4), Windows Defender ATP provides context on the document, along with information on command-and-control communication, which can allow security operations personnel to assess the scope of the attack and start containing the breach.

Figure 4. Example alert on WDATP

Microsoft Office 365 Advanced Threat Protection protects customers against similar attacks dynamic behavior matching. In attacks like this, SecOps personnel would see an Office 365 ATP behavioral detection like that shown in Figure 5 in Office 365’s Threat Explorer page.

Figure 5. Example Office 365 ATP detection

Conclusion: Windows Defender ATP uncovers in-memory attacks

Windows 10 continues to strengthen defense capabilities against the full range of modern attacks. In this blog post, we illustrated how Windows Defender ATP detects the reflective DLL loading technique. Security operations personnel can use the alerts in Windows Defender ATP to quickly identify and respond to attacks in corporate networks.

Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect the invariant techniques used in attacks. Enhanced instrumentation and detection capabilities in Windows Defender ATP can better expose covert attacks.

Windows Defender ATP also provides detailed event timelines and other contextual information that SecOps teams can use to understand attacks and quickly respond. The improved functionality in Windows Defender ATP enables them to isolate the victim machine and protect the rest of the network.

For more information about Windows Defender ATP, check out its features and capabilities and read about why a post-breach detection approach is a key component of any enterprise security strategy. Windows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge.


Christian Seifert

Windows Defender ATP Research


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Categories: Microsoft

Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

Microsoft Malware Protection Center - Mon, 11/06/2017 - 8:45am

The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss.

Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.

Figure 1. Qakbot and Emotet monthly machine encounters show an upward trend. This data doesn’t include Qakbot and Emotet variants blocked by automation and cloud rules.

Even though these malware families are typically known to target individual online banking users, more and more enterprises, small and medium businesses, and other organizations have been affected by indiscriminate infections.

Figure 2. Breakdown of Qakbot and Emotet machine encounters

Recent variants of these malware families have spreading capabilities, which can increase the chances of multiple infections in corporate networks. They can also be spread by other malware during the lateral movement stage of a cyberattack.

Typical Qakbot and Emotet kill chain

Over the years, the cybercriminals behind Qakbot and Emotet have improved the code behind their malware. They have evolved to evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.

We mapped some of the common behaviors we’ve seen in Qakbot and Emotet variants and see a lot of similarities.

Figure 3. Qakbot and Emotet attack kill chain. Note that some Qakbot and Emotet variants might not exhibit all of the behaviors above and might be capable of unique routines.

Because of similarities in behavior, Qakbot and Emotet can be mitigated by similar security measures.

Steps to mitigate Qakbot and Emotet

Based on our experience helping organizations get rid of Qakbot and Emotet, the following steps mitigate infection and ultimately remove the said malware from corporate networks:

  1. Stop the spread of malware and cut off communication with its command-and-control server
    • Cut off Internet access or disconnect the affected machines from the network until they have been cleaned. Windows Defender Advanced Threat Protection customers can isolate affected machines with one click. You can also block infected machines at the edge firewall, unplug machines from the network, or create rules on Windows Defender Advanced Firewall (and push these out via Group Policy Objects (GPO)).
    • Stop sharing folders that show signs of infection or set shared folders to read-only. Removing admin shares is an option that should only be used as a last resort as this can cause other issues and hinder management
    • Practice credential hygiene. Remove unnecessary privileges, or disable privileged accounts that have been observed to spread malware using SMB.
  2. Prevent the malware from automatically running in affected machines
    • Lock down the Scheduled Tasks folder via GPO to prevent new tasks from being created. In GPO, go to Computer Config > Windows Settings > Security Settings > File System > Add File. Add the following:
      • %windir%\tasks
      • %windir%\system32\tasks

      For each one, in the configuration dialog box, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System, and then click OK.
      In the Add Object dialog box, click Replace existing permissions in all subkeys with inheritable permissions and click OK.
      (Note: When the crisis is over, you can revert this setting by restoring permissions and reapplying the group policy—removing the GPO will not restore original permissions.)

    • Disable autorun.
  3. Remove Qakbot, Emotet, and other related malware
  4. Monitor the network for possible reinfection
    • Determine and address the initial attack vector. Use security solutions like Windows Defender ATP, which provides detailed timelines and other contextual information to understand the nature of attacks and take response actions.
    • Slowly reintroduce network connectivity to the subset of the machines that have been cleaned. Monitor them for reinfection.
    • Reintroduce network connectivity to all affected machines that are believed to be clean.
    • Turn on real-time protection in your antivirus. In Windows 10, enable cloud-based protection and automatic sample submission in Windows Defender Antivirus. With these features enabled, Windows Defender Antivirus provides advanced real-time protection against never-before-seen threats.
Preventing Qakbot and Emotet infections with Windows 10

While the steps above can rid networks of Qakbot and Emotet, preventing infection eliminates opportunities for these threats to steal info. Windows 10 S is a streamlined platform with Microsoft-verified security. It blocks malware like Qakbot and Emotet and other malicious programs by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.

Additionally, Windows 10 has a comprehensive defense stack that can help block and detect malware like Qakbot and Emotet.

Use Microsoft Edge to block Qakbot and Emotet infections from the web. Microsoft Edge opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads. Its click-to-run feature for Flash can stop malware infections that begin with exploit kits. With Windows Defender Application Guard, Microsoft Edge has an additional hardware isolation-level capability on top of its exploit mitigation and sandbox features.

Block malicious emails carrying trojan droppers that install Qakbot and Emotet using Microsoft Exchange Online Protection (EOP), which has built-in anti-spam filtering capabilities that help protect Office 365 customers. Secure mailboxes against email attacks with Office 365 Advanced Threat Protection, which blocks unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. anti-spam filters also provide protection against malicious emails.

Use Credential Guard to protect domain credentials and help stop malware from spreading using compromised credentials.

Enable Windows Defender AV to detect Qakbot and Emotet variants, as well as all related malware such as droppers and downloaders. Windows Defender AV uses precise machine learning models as well as generic and heuristic techniques and enhanced behavior analysis to detect common and complex malware code. It provides advanced real-time protection against new and unknown files using the Windows Defender AV cloud protection service.

Use Windows Defender Advanced Threat Protection to flag Qakbot or Emotet infections and to enable security operations personnel to stop the spread of these threats in the network. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, command-and-control communication, and lateral movement. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to attacks.

These end-to-end security features in Windows 10 help defend against increasingly complex malware attacks. At Microsoft, we continue to harden Windows 10 against attacks. With Fall Creators Update, we shipped several new and enhanced security features that make Windows 10 the most secure version of Windows yet. Learn more about these features:

It is also important for organizations to augment these security technologies with a security-aware workforce. Educating employees on social engineering attacks and internet safety, and training them to report suspicious emails or websites can go a long way in protecting networks against cyberattacks.


Keith Abluton, Windows Escalation Services

Rodel Finones, Windows Defender Research


Indicators of compromise

The following are IOCs for recent Qakbot and Emotet variants:


Qakbot malware (SHA256):




%APPDATA%\Microsoft\<random folder name>\<random file name>, for example:


%APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx32.dll (configuration file)

Registry modifications:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: <random value name>

With data: "%APPDATA%\Microsoft\<random folder name>\<random file name>"

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>

Sets value: ImagePath

With data:  "%APPDATA%\Microsoft\<random folder name>\<random file name> /D"

Sets value: Type

With data: dword:00000010

Sets value: "Start"

With data: dword:00000002

Sets value: "DisplayName"

With data: "Remote Procedure Call (RPC) Service"

Sets value: "ErrorControl"

With data: dword:00000000

Sets value: "DependOnService"

With data: "Dnscache"

Sets value: "ObjectName"

With data: "LocalSystem"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: ctfmon.exe

With data: "%APPDATA%\Microsoft\<random folder name>\<random file name>" /c "%System Folder%\ctfmon.exe"

Command-and-control servers:


Emotet downloader (SHA256):


Emotet malware (SHA256):




%appdata%\roaming\microsoft\windows\start menu\programs\startup\[random].lnk


%localappdata%\microsoft\windows ex: C:\Windows\System32\netshedule.exe

Registry modifications:

In subkey: 'HKLM\SYSTEM\ControlSet001\services\netshedule' <Bug: 5667568  Type & Size>

Sets value: 'Type'

With data: '0x00000010'

In subkey: 'HKLM\SYSTEM\ControlSet001\services\netshedule' <Bug: 5667568  Type & Size>

Sets value: 'Start'

With data: '0x00000002'

In subkey: 'HKLM\SYSTEM\ControlSet001\services\netshedule' <Bug: 5667568  Type & Size>

Sets value: 'ErrorControl'

With data: '0x00000000'

In subkey: 'HKLM\SYSTEM\ControlSet001\services\netshedule' <Bug: 5667568  Type & Size>

Sets value: 'ImagePath'

With data: 'C:\Windows\system32\netshedule.exe'

In subkey: 'HKLM\SYSTEM\ControlSet001\services\netshedule' <Bug: 5667568  Type & Size>

Sets value: 'DisplayName'

With data: 'netshedule'

Command-and-control servers:


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Categories: Microsoft