Fake Windows 11 upgrade can steal data, drain off crypto wallets

As more and more organisations and companies are going digital, the surface of cybercrimes is expanding equally or even more. The pandemic has brought in a wave of cyber criminal activities including phishing, ransomware and more recently crypto hacks.  

Digital risk monitoring company CloudSEK found out that a fake Windows 11 upgrade is used by hackers to steal browser data and cryptocurrency wallets.  

According to CloudSEK, the campaign is currently active and relies on poisoning search results to push a website mimicking Microsoft’s promotional page for Windows 11, to offer the information stealer. The malicious domain (windows11-upgrade11[.]com) acts as a launchpad for a crypto stealer.   

“Users are lured in by a malware masquerading as a legitimate site that provides Windows 11 upgrades. Threat actors use SEO poisoning to lure users to the site, where they are directed to download a malicious file mimicking a Windows 11 upgrade. This launches a multi-stage malware dubbed as “XYZ” on the target system,” it said.   

The report notes this malicious website offering the fake Windows 11 is still up at the time of writing. It features the official Microsoft logos, favicons, and an inviting “Download Now” button. If the visitor loads the malicious website via direct connection — download is unavailable over TOR or VPN, they will get an ISO file that shelters the executable for a novel info-stealing malware. An ISO file is a file that contains all the installation files for a single program. 

The threat actors behind this campaign are using a new malware that researchers named “Inno Stealer” due to its use of the Inno Setup Windows installer. The researchers say that Inno Stealer doesn’t have any code similarities to other commodity info-stealers currently in circulation which makes this a unique finding and the first of its kind.  

Also read: Vulnerabilities in open-source Apple audio software may have risked millions of Android phones 

CloudSEK explains that the loader spawns a new process using the CreateProcess Windows API, which establishes persistence, and plants four files. According to the researchers, the malware also removes security solutions from Emsisoft and ESET, likely because these products detect it as malicious.  

The capabilities of Inno Stealer are typical for this kind of malware, including collecting web browser cookies and stored credentials, data in cryptocurrency wallets, and data from the filesystem. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo.  

The researchers recommend avoiding downloading ISO files from obscure sources and only perform major OS upgrades from within your Windows control panel or get the installation files straight from the source. If an upgrade to Windows 11 is unavailable, the researcher said, there is no point attempting to bypass the restrictions manually, as this will come with a set of downsides and severe security risks.