A popular Windows 11 ToolBox script that was used to add the Google Play Store to the Android subsystem has secretly infected users with malicious scripts, Chrome extensions, and potentially other malware.
When Windows 11 was released in October, Microsoft announced that it would allow users to run built-in Android apps directly from Windows.
This feature was exciting for many users, but when the preview of Android for Windows 11 was released in February, many were disappointed that they could not use it with Google Play and got stuck with apps from the Amazon App Store.
While there were ways to use ADB to sideload Android apps, users started looking for methods that let them add Google Play Store to Windows 11.
Around that time, someone released a new tool called Windows Toolbox on GitHub with a host of features, including the ability to debloat Windows 11, activate Microsoft Office and Windows, and install the Google Play Store for the Android subsystem.
Once technical sites discovered the script, it was quickly promoted and installed by many.
But without everyone knowing until this week, Windows Toolbox was actually a Trojan that executed a series of blurry, malicious PowerShell scripts to install a Trojan clicker and possibly other malware on devices.
Abuse of Cloudflare workers to install malware
Over the past week, various users shared the discovery that the Windows Toolbox script was a front for a very smart malware attack, leading to a surprisingly low quality malware infection.
While the Windows Toolbox script performed all the functions described on GitHub, it also contained blurred PowerShell code that would download various scripts from Cloudflare workers and use them to execute commands and download files on an infected device.
To run Windows Toolbox, the developer asked users to execute the following command, which loads a PowerShell script from a Cloudflare worker hosted at http://ps.microsoft-toolbox.workers.dev/.
The use of Cloudflare Workers to host the malicious scripts was smart, as it allowed the threat actors to modify the scripts as needed and use a platform that has not been overused to distribute malware, so it will probably be less easy to detect.
This script looks like it does what is advertised with, with features to debloat Windows 11, disable telemetry, repair your phone app, configure power profiles, and so on.
On lines 762 and 2,357 in the script, however, there is blurred code, but at first glance, it does not appear to pose any risk.
But when it is debugged, it is converted to PowerShell code [Stage 1, Stage 2, Stage 3] loading malicious scripts from Cloudflare workers and files from the https://github.com/alexrybak0444/ GitHub repository.
This repository contains several files, including a renamed Python distribution, 7Zip executable, Curl, and various batch files.
Unfortunately, some scripts stored on Cloudflare required special headings to be sent to access them, or they are simply no longer available, making it difficult to analyze exactly what this mess of PowerShell scripts, batches, and files did. an infected device.
What we do know is that the malicious scripts targeted only US users and created several scheduled tasks with the following names:
Microsoft\Windows\AppID\VerifiedCert Microsoft\Windows\Application Experience\Maintenance Microsoft\Windows\Services\CertPathCheck Microsoft\Windows\Services\CertPathw Microsoft\Windows\Servicing\ComponentCleanup Microsoft\Windows\Servicing\ServiceCleanup Microsoft\Windows\Shell\ObjectTask Microsoft\Windows\Clip\ServiceCleanup
These scheduled tasks are used to configure various variables, create other scripts to be run by the tasks, and kill processes such as chrome.exe, msedge.exe, brave.exe, powershell.exe, python.exe, pythonw.exe, cdriver .exe and mdriver.exe.
It also created a hidden
c:\systemfile folder and copied the default Chrome, Edge, and Brave profiles into the folder.
PowerShell scripts created a Chromium extension in this directory to execute a script from https://cdn2.alexrybak0555.workers.dev/ when launching the browser.
This script appears to be the most important malicious component of this attack, and while it uploads geographic location information about the victim, its malicious behavior is, oddly enough, only used to generate revenue by redirecting users to affiliate and referral URLs.
When users visit whatsapp.com, the script will redirect them to one of the following random URLs, which contain “monetize” scams, browser notification scams, and unwanted software promotions.
https://tei.ai/hacky-file-explorer https://tei.ai/pubg-for-low-spec-pc https://tei.ai/get-free-buck https://tei.ai/win-free-digital-license https://tei.ai/make-money-online-right-now https://tei.ai/make-money-online-35-way https://tei.ai/9qmcSfB https://tei.ai/GCShsSr https://tei.ai/wCJ88s
The impact of the payload delivered by hits intricate clutter of scripts is so small that it almost feels like something is missing.
This can be the case as one of the scheduled tasks executes code from autobat.alexrybak0444.workers.dev which may contain more malicious behavior. However, this script was not archived and is not available.
For those who have previously run this script and are concerned that they may be infected, you can check for the above scheduled tasks and the C: \ system file folder.
If these are present, delete the associated tasks, the system file folder and the Python files installed as C: \ Windows \ security \ pywinvera, C: \ Windows \ security \ pywinveraa and C: \ Windows \ security \ winver.png.