Fake Blue Screen of Death

Cyble Research and Intelligence Labs recently uncovered a fraudulent adult website that is designed to trick unsuspecting users into visiting it. Once a user visits this adult site, a harmful executable file is automatically downloaded onto their device, putting their privacy and security at risk.

The malicious executable file in question has been cleverly disguised to look like a harmless video file. This was done by using the icon of the popular VLC media player, which is a widely recognized and trusted program for playing multimedia content. 

EHA

However, upon closer inspection, it becomes clear that the file is not a legitimate video, but rather a dangerous program. Upon execution of the harmful executable file, the victim’s computer screen will undergo some changes. 

Firstly, the cursor will disappear, making it difficult for the user to navigate and interact with their device. Additionally, a fake pop-up window will appear, designed to look like a legitimate notification from the system. 

The pop-up will blend in with the background, making it hard to detect, and will likely contain false information or instructions.

The deceptive pop-up window that appears on the victim’s device has been designed to imitate a common error screen that many Windows users are familiar with:-

BSOD Messages to Trick Victims

This error screen is displayed on Windows-based computers when a system error occurs, causing the computer to crash and displaying a blue screen with an error message. 

Unscrupulous tech scammers have been known to employ a sneaky tactic involving fake BSOD screens in order to deceive and exploit unsuspecting computer users. 

These scammers will display a bogus BSOD screen, leading the user to believe that their device has been infected with a virus or malware, and then offer to provide a solution for a fee. 

In reality, these scammers have no intention of solving any problems and are instead attempting to extract money from their victims through dishonest means.

Once the fraudulent BSOD screen is displayed, the user is presented with a message that strongly advises them to contact a specific phone number for technical support. 

Those who call it will be connected with the very scammers who created the fake BSOD screen in the first place and then they will convince the victim into paying an unnecessary fee for the unwanted support or service.

A recent discovery made by Cyble Research and Intelligence Labs has uncovered a fraudulent website that is engaging in phishing activities. 

This website, which can be accessed at hxxps[:]//mydoc.hsc-lb[.]net/, has been found to be spreading a tech spam executable that poses a significant risk to users who unknowingly download it.

Visiting the website poses a serious threat to users as it has been found to automatically initiate the download of a dangerous executable file.

This is achieved through a redirect process that sends the user to the address hxxps[:]//mydoc.hsc-lb[.]net/milf-pornvideo-pornhubhdviideos[.]exe without their knowledge.

In order to carry out their nefarious activities, scammers often exploit the automatic download feature that is available through many popular web browsers.

The executable file that is downloaded from the aforementioned website is a 32-bit .NET binary that is specifically designed to target users of Windows operating systems.

After the 32-bit .NET binary file is executed, it initiates the creation of a new Windows Form with the default name of “Form1”. Now, from the resource directory, the background image of this form is retrieved with help of the following method:-

  • Resources[.]ResourceManager.GetObject

Following their initial actions, the scammers employ a specific coding technique that involves utilizing the “Screen.PrimaryScreen.Bounds” property. By implementing this method, they are able to fill the entirety of the screen with a fake Blue Screen of Death (BSOD) image.

At this stage, the binary takes a crucial step in its operation by initiating a SoundPlayer object. This object is assigned the identifier “soundPlayer” and is linked to a specific audio file named “backgroundmusic.” 

The audio file itself is stored in the resources directory of the executable file. When the audio message is played, it informs the user that their computer has been locked due to suspicious activity or a virus infection. 

The message strongly advises the user to take immediate action by calling a designated support number. Scammers employ a wide range of tactics to trick unsuspecting users. 

Among these tactics is the use of fraudulent pop-ups or notifications, which are designed to mislead users into believing that they are experiencing a critical problem with their device.

Recommendations

Here below we have provided all the recommendations offered by the security experts:-

  • Do not click on links that appear suspicious.
  • Make sure you do not download files from unknown sources.
  • Downloads should be prompted for confirmation or blocked altogether in your browser settings.
  • Technical support or services offered via unsolicited messages or calls should be avoided.
  • Make sure antivirus software is up-to-date on the system.
  • Ensure that your operating system and software are regularly updated.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.