Information-Stealing Malware Gets Installed Via Unofficial Windows 11 Upgrade 

Information-Stealing Malware Gets Installed Via Unofficial Windows 11 Upgrade 

Hackers are tricking users into installing a counterfeit Windows 11 upgrade that includes malware that collects browser data and cryptocurrency wallets. The effort is still running, and it works by poisoning search results to drive traffic to a website that looks like Microsoft’s Windows 11 advertising page and offers the information stealer. 

Users may use Microsoft’s upgrade tool to see if their computer is compatible with the company’s most recent operating system (OS). Support for the Trusted Platform Module (TPM) version 2.0, which is found on machines that are less than four years old, is one of the requirements. The hackers are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

At the time of writing, the rogue website advertising the false Windows 11 was still active. The official Microsoft emblems, favicons, and a welcoming “Download Now” button are included. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. CloudSEK threat researchers analyzed the malware and provided a technical report. 

According to CloudSEK, the threat actors behind this effort employ a new malware called “Inno Stealer” since it uses the Inno Setup Windows installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. There is no indication of the malware being submitted to the Virus Total scanning platform. 

The “Windows 11 setup” program provided in the ISO is the loader file (Delphi-based), which, when started, dumps a temporary file named is-PN131.tmp and produces another .TMP file where the loader writes data of 3,078KB. CloudSEK clarifies that the loader uses the CreateProcess Windows API to help launch new processes, create persistence, and plant four files. Persistence is achieved by placing a .LNK (shortcut) file in the Startup directory and setting its access rights using icacls.exe. 

The malware also disables security solutions from Emsisoft and ESET, as per the researchers, most likely because these programs recognize it as malicious. Inno Stealer’s capabilities are typical of this type of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo are among the browsers and crypto wallets that have been targeted. 

The stealer can also collect extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that messes with the host’s security tools and uses the same persistence technique. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

The entire Windows 11 upgrade problem has produced ideal ground for the spread of these operations, and this isn’t the first time it’s been reported. Avoid downloading ISO files from unknown sites and instead undertake significant OS updates using the Windows 10 control panel or obtain the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no use in attempting to circumvent the limitations manually since this will come with a slew of drawbacks and severe security threats. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.