Fake Windows 11 update installs malware to steal information

Hackers are luring unsuspecting users with a fake Windows 11 update that comes with malware that steals browser data and cryptocurrency wallets.

The campaign is now active and is based on poisoning search results to promote a website that mimics Microsoft's promotional page for Windows 11 to offer its information-stealing update.

Microsoft is offering users an update tool to see if their machine supports the company's latest operating system (OS). One of the requirements is support for Trusted Platform Module (TPM) version 2.0, which is present on computers no older than four years.

Against this backdrop, hackers prey on users who rush to install Windows 11 without taking the time to learn that the OS must meet certain specifications.

At the time of writing, the malicious website offering a fake Windows 11 is still running. It contains official Microsoft logos, icons and a "Download Now" button.

If a visitor downloads the malicious website through a direct connection (downloading via TOR or VPN is not possible), he or she will receive an ISO file that contains the executable file of the new information-stealing malware.

Threat researchers from CloudSEK analyzed the malware and shared a technical report with BleepingComputer.

According to CloudSEK, members of this campaign are using new malware, which the researchers called "Inno Stealer" because of the fact that it uses the Inno Setup installer for Windows.

Researchers say Inno Stealer bears no code similarities to other commodity information theft programs currently in circulation, and they found no evidence of the malware loading on the Virus Total scanning platform.

The bootloader file (based on Delphi) is an executable "Windows 11 installer" file contained in an ISO image that, when run, creates a dump of a temporary file named is-PN131.tmp and also creates another TMP file where the bootloader writes 3078 KB of data.

CloudSEK explains that the loader creates a new process using the Windows API CreateProcess, which helps to create new processes, set permanence and place four files. Permanence is achieved by adding the LNK file (shortcut) to the autorun directory and using icacls.exe to set permissions for stealth.

Two of the four deleted files are Windows command scripts to disable registry security, add Defender exceptions, remove security products and remove the shadow volume.

According to experts, the malware also removes security solutions from Emsisoft and ESET, probably because those products identify it as malware.

The third file is a command execution utility running with the highest system privileges. And the fourth is the VBA script needed to run dfl.cmd.

It might be interesting

LG Electronics with Their New Chocolate

LG Electronics has been an international leader in technology and innovations in mobile communications. This very company has found a yet another interesting mobile communication device

Google launches its venture capital fund

Internet giant Google has recently unveiled the plans of launching its venture capital fund considering it a suitable time to invest in the latest products that may prove quite effective to improve the profitability of the company.