Error 0x80070643 and Info-Stealers

Fake tech support websites have appeared online, offering solutions for common Windows errors such as error 0x80070643. These fraudulent sites infect devices with info-stealing malware.

The issue was first reported by experts from eSentire. According to the company, cybercriminals are using hacked YouTube channels to promote fake programs, making them appear legitimate. In particular, these fake videos advertise fixes for error 0x80070643, which millions of Windows users have encountered since January.

In January, Microsoft released a security update to address a BitLocker vulnerability (CVE-2024-20666). However, after installing the update, many users began receiving the 0x80070643 – ERROR_INSTALL_FAILURE message. The error was caused by insufficient space on the Windows Recovery Environment (WinRE) partition, which needed to be increased to 250 MB. Adjusting the WinRE partition is complex and not always possible, leaving many users with unresolved issues and constant update failures.

Frustrated users started searching for solutions online, which cybercriminals exploited by creating numerous fake tech support sites (such as pchelprwizzards[.]com, pchelprwizardsguide[.]com, fixguides[.]com, and others). These sites offer either a PowerShell script to copy and run or a Windows registry file to import. Regardless of the method, running the PowerShell script results in the device being infected with an info-stealer.

Fake IT Support Sites Promoted in YouTube Videos

One such script, encoded in Base64, connects to a remote server to download another script that installs the Vidar malware on the device.

Malicious Script Disguised as a Windows Error Fix

After running the script, the user sees a message claiming the issue was fixed and is advised to restart the computer, which activates the malware. The FixedGuides site uses an obfuscated Windows registry file to hide an autorun entry that launches the malicious PowerShell script.

Running these fake fixes leads to the activation of malware that steals saved passwords, credit card data, cookies, and browser history. Vidar can also hijack cryptocurrency wallets, steal text files and Authy 2FA authenticator databases, and take desktop screenshots.

All collected data is uploaded to servers controlled by the attackers, where it is used for further ransomware attacks or sold on the dark web.

Infected users face serious consequences: compromise of all accounts and potential financial losses. Therefore, when dealing with Windows errors, it is crucial to download software and fixes only from trusted sites, not from videos or questionable resources.

For those unable to increase the WinRE partition, experts recommend disabling the installation of certain updates (specifically KB5034441), for example, using the Microsoft Show or Hide Tool.