Fake Windows 11 update installs malware to steal information

Hackers are luring unsuspecting users with a fake Windows 11 update that comes with malware that steals browser data and cryptocurrency wallets.

The campaign is now active and is based on poisoning search results to promote a website that mimics Microsoft's promotional page for Windows 11 to offer its information-stealing update.

Microsoft is offering users an update tool to see if their machine supports the company's latest operating system (OS). One of the requirements is support for Trusted Platform Module (TPM) version 2.0, which is present on computers no older than four years.

Against this backdrop, hackers prey on users who rush to install Windows 11 without taking the time to learn that the OS must meet certain specifications.

At the time of writing, the malicious website offering a fake Windows 11 is still running. It contains official Microsoft logos, icons and a "Download Now" button.

If a visitor downloads the malicious website through a direct connection (downloading via TOR or VPN is not possible), he or she will receive an ISO file that contains the executable file of the new information-stealing malware.

Threat researchers from CloudSEK analyzed the malware and shared a technical report with BleepingComputer.

According to CloudSEK, members of this campaign are using new malware, which the researchers called "Inno Stealer" because of the fact that it uses the Inno Setup installer for Windows.

Researchers say Inno Stealer bears no code similarities to other commodity information theft programs currently in circulation, and they found no evidence of the malware loading on the Virus Total scanning platform.

The bootloader file (based on Delphi) is an executable "Windows 11 installer" file contained in an ISO image that, when run, creates a dump of a temporary file named is-PN131.tmp and also creates another TMP file where the bootloader writes 3078 KB of data.

CloudSEK explains that the loader creates a new process using the Windows API CreateProcess, which helps to create new processes, set permanence and place four files. Permanence is achieved by adding the LNK file (shortcut) to the autorun directory and using icacls.exe to set permissions for stealth.

Two of the four deleted files are Windows command scripts to disable registry security, add Defender exceptions, remove security products and remove the shadow volume.

According to experts, the malware also removes security solutions from Emsisoft and ESET, probably because those products identify it as malware.

The third file is a command execution utility running with the highest system privileges. And the fourth is the VBA script needed to run dfl.cmd.

It might be interesting

Google will offer the ability to store cryptocurrency on digital cards

The corporation said it plans to expand the scope of cooperation with projects from the digital asset industry

Electronic Arts to shed 11% workforce

In order to slash rising costs, Electronics Arts has announced to lay off its 11% workforce that comes to nearly 1100 jobs.

Facebook on Hiring Frenzy

Facebook CEO Mark Zuckerberg has increased company’s work force by hiring people like crazy. The recent increase in the number of employees has been about 50%.