Fake DirectX12 download site installs crypto-stealing malware

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

fake-directx-12-site

It seems malware owners have found a new way to trick users into installing their software, and unfortunately, Google is helping.

Security researcher Oliver Hough discovered that hackers have created a fake DirectX 12 download site, which appears fully formed with a security certificate, privacy policy, disclaimer, DMCA policy and more, but which instead pushes malware that will scan your PC for private information.

fake-directx-12-site

That information includes items such as a screenshot of your desktop, your PC detail, cookies and importantly any crypto-currency wallets you may have, with the malware searching for Ledger Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero.

The information is then saved in a temporary directory and uploaded to the hacker’s network.

The approach is part of a new wave of hackers using faked but legitimate-looking download pages, with us reporting recently of hackers faking Microsoft Store pages and Spotify download pages. Other download pages which have been cloned include ProtonVPN, Windows system cleaners, and BleachBit.

Hackers have been using hacked websites to link to their fake pages, increasing the page’s Google Search Rank and tricking more users into clicking on their fake download links.

It is therefore increasingly important that users be more vigilant when search for software to download, even when typing “Spotify download” into Google for example, and carefully check a page’s credentials and URL before downloading, and not assume the first link will be the legitimate one.

BleepingComputer notes that ideally, users should stick to the app store built into their PCs, though we have seen even these services being used to push malware.

User forum

0 messages