Hackers are enticing unwary customers with a bogus Windows 11 upgrade that includes malware that harvests browser data and cryptocurrency wallets. The effort is still ongoing and depends on tainted search results to direct users to a website that looks like Microsoft's promotional page for Windows 11, which contains the information stealer.
Microsoft provides an update tool that allows customers to determine whether their computer is compatible with the company's most recent operating system (OS). Support for Trusted Platform Module (TPM) version 2.0, which is present on machines no older than four years, is one prerequisite.
The hackers prey on people who install Windows 11 without first learning that the operating system must meet certain requirements. At the time of writing, the malicious website advertising the false Windows 11 was still operational. It includes the official Microsoft emblems and favicons, as well as a welcoming "Download Now" button.
The malicious website used in the campaign (windows11-upgrade11[.]com)
Image Courtesy: Bleeping Computer
If a visitor loads the malicious website via direct connection - download is not possible via TOR or VPN - they will receive an ISO file containing the executable for a novel information-stealing malware.
CloudSEK threat researchers researched the ransomware and shared a technical report with BleepingComputer exclusively.
The process of infection
According to CloudSEK, the threat actors behind this campaign are employing a new malware dubbed "Inno Stealer" by researchers because of its use of the Inno Setup Windows installer. According to the researchers, Inno Stealer has no code similarities to other commodity info-stealers currently in circulation, and they have found no indication of the malware being published to the Virus Total scanning site.
The loader file (Delphi-based) is the ISO's "Windows 11 setup" programme, which when executed dumps a temporary file named is-PN131.tmp and produces another. The loader writes 3,078KB of data to the TMP file.
According to CloudSEK, the loader creates a new process by using the CreateProcess Windows API, which aids in the spawning of new processes, the establishment of persistence, and the planting of four files. Persistence is done by placing an .LNK (shortcut) file in the Startup directory and using icacls.exe to configure the file's access rights for stealthiness.
Creating a process to establish persistence (CloudSEK)
Two of the four files dumped are Windows Command Scripts for disabling Registry security, adding Defender exceptions, uninstalling security products, and deleting the shadow volume.
The malware, according to the researchers, also disables security solutions from Emsisoft and ESET, most likely because these products detect it as harmful. The third file is a command execution utility that runs with full system rights; the fourth is a VBA script that is necessary to launch dfl.cmd.
At the second stage of the infection, a file with the.SCR extension is dumped into the compromised system's C:UsersAppDataRoamingWindows11InstallationAssistant directory. That file is the agent, which unpacks the info-stealer payload and runs it by starting a new process called "Windows11InstallationAssistant.scr," which is identical to itself.
The Inno Stealer's infection chain (CloudSEK)
Capabilities of Inno Stealer
Inno Stealer's capabilities are typical for this type of malware, including the ability to collect online browser cookies and saved credentials, data in cryptocurrency wallets, and data from the disc.
Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo are among the browsers and crypto wallets attacked.
Inno Stealer targets web browsers (CloudSEK)
Inno Stealer is after cryptocurrency wallets (CloudSEK)
The network management and data-stealing functionalities of Inno Stealer are multi-threaded, which is an intriguing feature.
All stolen data is copied to the user's temporary directory via a PowerShell command, encrypted, and then transferred to the operator's command and control server ("windows-server031.com").
Malware interaction with the C2 (CloudSEK)
The stealer can also fetch extra payloads, which is only done at night, probably to take advantage of a time when the victim is not at the computer.
These additional Delphi payloads, which are TXT files, use the same Inno-based loader that messes with the host's security tools and the same persistence-establishment method. They also have the ability to steal clipboard information and exfiltrate directory enumeration data.
Security advice
The entire Windows 11 upgrade problem has created a fertile field for the development of these operations, and this is not the first time something similar has been reported.
It is advisable to avoid downloading ISO files from unknown sources and to undertake significant OS upgrades from within your Windows 10 control panel or
directly from the source.
If you are unable to upgrade to Windows 11, there is no use in attempting to circumvent the restrictions manually, since this will result in a slew of drawbacks and serious security risks.
Please do not enter any spam link in the comment box.