Fake Windows 11 update installs malware to steal information

Hackers are luring unsuspecting users with a fake Windows 11 update that comes with malware that steals browser data and cryptocurrency wallets.

The campaign is now active and is based on poisoning search results to promote a website that mimics Microsoft's promotional page for Windows 11 to offer its information-stealing update.

Microsoft is offering users an update tool to see if their machine supports the company's latest operating system (OS). One of the requirements is support for Trusted Platform Module (TPM) version 2.0, which is present on computers no older than four years.

Against this backdrop, hackers prey on users who rush to install Windows 11 without taking the time to learn that the OS must meet certain specifications.

At the time of writing, the malicious website offering a fake Windows 11 is still running. It contains official Microsoft logos, icons and a "Download Now" button.

If a visitor downloads the malicious website through a direct connection (downloading via TOR or VPN is not possible), he or she will receive an ISO file that contains the executable file of the new information-stealing malware.

Threat researchers from CloudSEK analyzed the malware and shared a technical report with BleepingComputer.

According to CloudSEK, members of this campaign are using new malware, which the researchers called "Inno Stealer" because of the fact that it uses the Inno Setup installer for Windows.

Researchers say Inno Stealer bears no code similarities to other commodity information theft programs currently in circulation, and they found no evidence of the malware loading on the Virus Total scanning platform.

The bootloader file (based on Delphi) is an executable "Windows 11 installer" file contained in an ISO image that, when run, creates a dump of a temporary file named is-PN131.tmp and also creates another TMP file where the bootloader writes 3078 KB of data.

CloudSEK explains that the loader creates a new process using the Windows API CreateProcess, which helps to create new processes, set permanence and place four files. Permanence is achieved by adding the LNK file (shortcut) to the autorun directory and using icacls.exe to set permissions for stealth.

Two of the four deleted files are Windows command scripts to disable registry security, add Defender exceptions, remove security products and remove the shadow volume.

According to experts, the malware also removes security solutions from Emsisoft and ESET, probably because those products identify it as malware.

The third file is a command execution utility running with the highest system privileges. And the fourth is the VBA script needed to run dfl.cmd.

It might be interesting

img-blur-shadow
Apple acquires AI Music, a startup that generates music using artificial intelligence

Apple bought the British startup AI Music, whose technology uses artificial intelligence algorithms to generate individual music that corresponds to users' requests, scope of application and other parameters. The technology can be used in various Apple services.

img-blur-shadow
Latest Technologies for Creating Trendy Android Apps in 2021

Android is unquestionably one of the most popular mobile operating systems, with more than 88% of the market share. There are more than 3.10 million apps in Google Play Store. The technologies & apps range from web browsers, calendars to Android App development Services & many more.

img-blur-shadow
Presentation of iPhone 13, iPad 2021 and iPad mini, Apple Watch 7 and other new products

September 14, 2021 was Apple's traditional fall event. In this brief review I will tell you about all the software and hardware innovations.

img-blur-shadow
Where to find the best MP3 ringtones

Mobiles have become a part and parcel of one’s life in this telecom revolution stricken world. These days different mobile phones offer a lot of personalized services as well as unique customized features.