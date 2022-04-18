One of the features that gave the most to talk about with the arrival of Windows 11 was the ability to install Android apps on the system. At Genbeta we have talked on several occasions about how to do it, even being able to install the Google Play Store for a more extensive catalog.

Among the methods to install the store, there was one that emerged a few months ago on GitHub: Windows Toolbox. This tool had the functions of removing Windows 11 bloatware, activating Office and Windows, and even installing the Google Play Store for Android Subsystem. Nevertheless, among all those functions there was also hidden malware.

Windows Toolbox was actually a Trojan running malicious code

The tool became tremendously popular, but it was not until a few days ago that some users on GitHub were able to discover the malicious code that is included in it. Apparently, Windows Toolbox was a Trojan that ran malicious PowerShell scripts. This code communicated with Cloudflare Workers to run commands and download files to teams.



Imagen: Bleeping Computer

Using Cloudflare Workers to modify the code that came with the tool was a smart move, as it was also distributed via GitHub, making it harder to detect. Windows Toolbox does what it says, but by decrypting some lines of its code it has been possible to discover the true intention of the tool.

Some Cloudflare Workers scripts are inaccessible, but a closer look at the tool revealed that created numerous scheduled tasks in Windowswhich set some system variables, or killed other processes such as Chrome, Edge or Brave browsers.

How to remove the tool from our team

The tool also created a directory called ‘c:\systemfile‘ and copied the Chrome, Edge, and Brave profiles to that folder. Additionally, the tool installed a browser extension that ran a script to communicate with the Cloudflare Workers CDN. Along with it, when users accessed WhatsApp Web, it redirected them to scam URLs to ‘make money’ and other similar websites.

If you have ever used the tool and fear that you have been infected, you should see if the folder has been created in ‘c:\systemfile‘ and if processes like the ones Bleeping Computer mentions in their article have been created. If so, kill the processes and the folderas well as the generated python files ‘C:\Windows\security\pywinvera‘, ‘C:\Windows\security\pywinveraa‘, y C:\Windows\security\winver.png.