Home  >  Article  >  Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

王林
王林forward
2023-04-13 19:13:06815browse
Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

Among other things, a third-party tool used to install the Google Play Store was found to be malicious. In fact, one of Neowin's readers, Eli, seems to have fallen victim to the tool as they appeared to have used it to install the Play Store.

The tool, called "Powershell Windows Toolbox," is hosted on GitHub, and user LinuxUserGD noticed that the underlying code was mysterious and contained malicious code. Later, user SuchByte raised the issue for the tool. The Powershell Windows toolbox has been removed from GitHub.

Here’s everything the tool claims to do:

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

First, the software uses a Cloudflare worker to load the script. In the "How to use" section of the tool, the developers have instructed users to run the following command in the CLI:

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

While the loaded script does the above, it was also found here Obfuscated code. Deobfuscation of this revealed that these were PowerShell code that loaded malicious scripts from Cloudflare workers and files from the GitHub repository of user alexrybak0444, a possible threat actor or one of them. These were also reported and removed (archived version here).

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

After this, the script ultimately creates a Chromium extension, which is believed to be the main malicious component of this malware campaign. The payload of the malware appears to be certain links or URLs used to generate revenue through affiliates and referrals by promoting certain software or some money-making scheme distributed through Facebook and WhatsApp messages.

If you happen to have the Powershell Windows Toolbox installed on your system, you can remove the following components created by the tool during an infection:

  • Microsoft\Windows\AppID\ VerifiedCert
  • Microsoft\Windows\Application Experience\Maintenance
  • Microsoft\Windows\Services\CertPathCheck
  • Microsoft\Windows\Services\CertPathw
  • Microsoft\ Windows\Serviceing\ComponentCleanup
  • Microsoft\Windows\Service\Service Cleanup
  • Microsoft\Windows\Shell\ObjectTask
  • Microsoft\Windows\Clip\ServiceCleanup

Also delete the "C:\systemfile" hidden folder created by the malicious script during the infection. If you are performing a system restore, make sure to use a restore point that is not done by the Powershell Windows Toolbox itself, as it will not remove malware from the system.

The above is the detailed content of Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yundongfang.com. If there is any infringement, please contact admin@php.cn delete