An application named Event Monitor is a tech support scam with a twist, working by monitoring the Windows event logs, and showing a popup with an alarming message every time it detects an app crash.

The message, which only appears after an application crashes, may convince some users to call a telephone number showed on screen where an operator is eagerly waiting to convince the victim to buy all sorts of unneeded apps and services.

Event Monitor distributed via bundled software installs

BleepingComputer's Lawrence Abrams discovered this threat being distributed as a secondary payload in bundled software installations. Just by paying close attention to what they install on their PCs, users can protect themselves against this threat.

Event Monitor is signed with a digital certificate issued to a company called Super Tuneup Technologies LLP, which appears to operate out of India.

UAC prompt

Installing Event Monitor sets up a new Windows scheduled task named RunAtStartup, which executes a binary called em.exe.

Windows scheduled task for Event Monitor

When starting up, em.exe will connect to a remote server located at http://cloudfront.fullpccare.com/em/update2.asp?ver=1.18.90.16808&isreg=0®key=&prd=em and download a configuration file to the %UserProfile%\AppData\Roaming\Event Monitor\update.ini file.

In this configuration file are different localized phone numbers to use as part of the tech support scam, the current version of the program, and a link to the latest build.

Event Monitor update.ini file

This file is downloaded and replaced regularly, as the tech support crew might need to update their phone numbers whenever one goes down, or want to add a new number, targeting users in another country. Currently, Event Monitor shows phone numbers for users living in the US, Germany, France, and Japan.

Similarly, an already existing configuration INI files holds localized versions of the tech support scam message that is displayed in the crash alert.

Other Event Monitor config file

After the scheduled task executes, the em.exe process starts and is identified as Event Monitor in task manager. This process does not show a screen, but stays hidden in the background.

Event Monitor process in Task Manager

This process monitors the Windows event log for application crashes. To trigger a crash for our tests, Bleeping Computer's Lawrence Abrams, with the help of Michael Gillespie, created a program specifically for this purpose, called crashdemo.exe.

crashdemo.exe file

Once we run crashdemo.exe, Event Monitor picks up the app crash in the event logs and immediately prompts us with its alarming crash popup (image and text below).

Event Monitor popup

Based on the update.ini file, other phone numbers that may appear in the popup include 01.76.54.05.61 (France), (800) 180-6512 (Germany), and 03-5050-1410 (Japan).

Simple and effective tech support scam

Using a simple trick, the group behind this nasty tech support scam is attaching their popup to crash events caused by legitimate apps. If users don't pick up on Event Monitor's shady behavior from the get-go, they'll soon be convinced that something is truly wrong with their PC.

Tech support scams are very efficient when targeting users with no technical experience, even if they're using simplistic tactics like the ones employed by Event Monitor.

Bleeping Computer has published a removal guide for the Event Monitor infection, which you can consult here if you ever come across this threat.

IOCs

Files

%UserProfile%\AppData\Roaming\Event Monitor\
%UserProfile%\AppData\Roaming\Event Monitor\em.exe
%UserProfile%\AppData\Roaming\Event Monitor\eng_em.ini
%UserProfile%\AppData\Roaming\Event Monitor\French_em.ini
%UserProfile%\AppData\Roaming\Event Monitor\German_em.ini
%UserProfile%\AppData\Roaming\Event Monitor\ininotfound0.ini
%UserProfile%\AppData\Roaming\Event Monitor\isxdl.dll
%UserProfile%\AppData\Roaming\Event Monitor\japan_em.ini
%UserProfile%\AppData\Roaming\Event Monitor\log_03-15-2017.log
%UserProfile%\AppData\Roaming\Event Monitor\update.ini
C:\Windows\System32\Tasks\RunAtStartup

Registry Entries

 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RunAtStartup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{51740577-F69A-46ED-A677-2D8DE276C921}
HKCU\Software\Event Monitor
HKCU\Software\Event Monitor\LANG
HKCU\Software\Event Monitor\LANG\LangCode    en
HKCU\Software\Event Monitor\LANG\LangID    0
HKLM\SOFTWARE\Wow6432Node\Event Monitor
HKLM\SOFTWARE\Wow6432Node\Event Monitor\TELNO    (844) 763-5838
HKLM\SOFTWARE\Wow6432Node\Event Monitor\TELNOFR    01.76.54.05.61
HKLM\SOFTWARE\Wow6432Node\Event Monitor\TELNODE    (800) 180-6512
HKLM\SOFTWARE\Wow6432Node\Event Monitor\TELNOJP    03-5050-1410
HKLM\SOFTWARE\Wow6432Node\Event Monitor\TELNOAU    1800 154 231
HKLM\SOFTWARE\Wow6432Node\Event Monitor\TELNOUK    0800 031 4657
HKLM\SOFTWARE\Wow6432Node\Event Monitor\bShowCongratsAfterUpdateRestart    0
HKLM\SOFTWARE\Wow6432Node\Event Monitor\Expired    0
HKLM\SOFTWARE\Wow6432Node\Event Monitor\first    1
HKLM\SOFTWARE\Wow6432Node\Event Monitor\LANG
HKLM\SOFTWARE\Wow6432Node\Event Monitor\LANG\LangCode    en
HKLM\SOFTWARE\Wow6432Node\Event Monitor\LANG\LangID    0

Tech Support Scam Alert Text

WARNING!
YOUR COMPUTER MAY BE AT RISK:
 
CALL: (844) 763-5838
For Emergency Tech Support call immediately
 
CrashDemo.exe
just crashed on your system.
 
Call us now for instant premium support