Hackers use malicious Windows 11
upgrade software to infect users
Browse
digital currencies and wallets. Microsoft has provided an upgrade tool for its
users to check their system with this tool to see if it can be installed.
Windows 11 is available to them or not. One of the requirements of the system is the Trusted Platform Module (TPM) version 2.0. Hackers put fake site addresses in search results and users who do not research and check reputable sites,
Aiming to
install Windows 11.Fake site with a look like a Microsoft site
Windows 11-upgrade 11 [.] com Fake site with address
By visiting
this site and clicking on Download Now, users will receive an ISO file
containing malware.
The download process will not run if a VPN or TOR is used.Infection process
According to CloudSEK, the threat actors behind the campaign are using new malware that researchers have. Using the Inno Setup Windows installer was called "Inno Stealer".To be honest, no code similarities were found with other examples of data theft programs currently in use, and no evidence of malware uploading was found on the Total Virus scanning platform.
In the first step, the loader file written in Delphi language is called Windows 11 setup inside the ISO, which by executing it creates a temporary file called is-PN131.tmp and another .TMP file that the loader writes 3,078 KB of data. The loader also uses Create Process to create new processes that help the Persist, create new processes, and extract 4 more files.
The Persist process is performed by adding the .LNK shortcut file to the Startup folder and specifying access permissions using icacls.exe.Two of the four extracted files are Windows Command Scripts to disable security
Registry, add exceptions to Defender, delete security products and remove shadow volume.
According to the researchers, the malware removes the security products of Emsisoft and ESET, probably because these products detect it as malicious.
The third file is a command execution tool that runs with the highest system scores. And the fourth file is the VBA script to run dfl.cmd.
In the
second stage of infection, a file with the extension .SCR is placed in the
following path:
C:\Users\\AppData\Roaming\Windows11InstallationAssistant
This file is
used to unpack and execute the main program upload by creating a process called
Windows11InstallationAssistant.scr
is done.
Malware capabilities
Malware capabilities are the same as malware in its category, such as browser data theft, cookie theft, wallet information theft, digital passwords and clipboard theft, etc.
The
following are the browsers and wallets targeted in this campaign:
One of the interesting features of Inno Stealer is that it has multi-threaded network management and data theft functions.All data stolen through PowerShell is copied and encrypted into the user's temporary directory and then sent to C&C ("windows-server031.com")
The process of communicating with the C2 server
These
Delphi-based uploads, which are sent as TXT files, use the same INNO loader
mechanism.
Security solution. The Windows 11 upgrade process has paved the way for the spread of malware campaigns, and this is not the first time this has been reported.
It is recommended to avoid downloading ISO files from obscure sources and only do the main operating system upgrades from within your Windows 10 control panel or download the installation files directly from the source.
If an upgrade to Windows 11 is not available to you, trying to circumvent the restrictions manually is useless, as this will come with a host of downsides and serious security risks.