Fake Windows 11 update installs malware to steal information
Hackers are luring unsuspecting users with a fake Windows 11 update that comes with malware that steals browser data and cryptocurrency wallets.
The campaign is now active and is based on poisoning search results to promote a website that mimics Microsoft's promotional page for Windows 11 to offer its information-stealing update.
Microsoft is offering users an update tool to see if their machine supports the company's latest operating system (OS). One of the requirements is support for Trusted Platform Module (TPM) version 2.0, which is present on computers no older than four years.
Against this backdrop, hackers prey on users who rush to install Windows 11 without taking the time to learn that the OS must meet certain specifications.
At the time of writing, the malicious website offering a fake Windows 11 is still running. It contains official Microsoft logos, icons and a "Download Now" button.
If a visitor downloads the malicious website through a direct connection (downloading via TOR or VPN is not possible), he or she will receive an ISO file that contains the executable file of the new information-stealing malware.
Threat researchers from CloudSEK analyzed the malware and shared a technical report with BleepingComputer.
According to CloudSEK, members of this campaign are using new malware, which the researchers called "Inno Stealer" because of the fact that it uses the Inno Setup installer for Windows.
Researchers say Inno Stealer bears no code similarities to other commodity information theft programs currently in circulation, and they found no evidence of the malware loading on the Virus Total scanning platform.
The bootloader file (based on Delphi) is an executable "Windows 11 installer" file contained in an ISO image that, when run, creates a dump of a temporary file named is-PN131.tmp and also creates another TMP file where the bootloader writes 3078 KB of data.
CloudSEK explains that the loader creates a new process using the Windows API CreateProcess, which helps to create new processes, set permanence and place four files. Permanence is achieved by adding the LNK file (shortcut) to the autorun directory and using icacls.exe to set permissions for stealth.
Two of the four deleted files are Windows command scripts to disable registry security, add Defender exceptions, remove security products and remove the shadow volume.
According to experts, the malware also removes security solutions from Emsisoft and ESET, probably because those products identify it as malware.
The third file is a command execution utility running with the highest system privileges. And the fourth is the VBA script needed to run dfl.cmd.
It might be interesting
DeepMind, a British company specializing in artificial intelligence, has taught its machines to write software at the level of a programmer with average ability, reports Newscientist.
BERLIN: Arun Sarin, the U.S head of the company of Vodafone, said on Tuesday that he would resign after some times tumultuous 5 year term in which emerging souk restored wealth Western financial systems as the driver of escalation for the company and the mobile phone industry.
Perhaps, Samsung has realized that people are getting tired of so many handset related stories these days and that’s why it has uncovered its three new ranges of stylish cameras. Though all these ranges seem to promise a lot for shooters and snipers, the IT100 is a real impressive thing. The IT100 features 12 megapixel lens with a nice TFT LCD 3” screen and 5x optical zoom capacities.