What makes initial detection of these malicious extensions difficult for the user is that, after the so-called utility is downloaded, it attempts to install the legitimate extension. That way the user still gets the tool they expected.
The PowerShell script tries to run the malicious payload with administrator permissions, says the report. If it doesn’t have the appropriate permissions, the script tries to create another System32 directory and copy the ComputerDefaults.exe file to it. Then, the script creates its own malicious DLL named MLANG.dll and tries to execute it using the ComputerDefaults executable.
The PowerShell script contains the DLLs and the Trojan executable as basic base64 encoded strings, says the report. It decodes the Trojan and writes it, as Launcher.exe, to the directory it created and excluded from monitoring by Windows Defender.
