Hackers Using Fake Windows 11 Upgrade to Install Malware & Steals Information

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows OS
Advisory ID:
ngCERT-2022-0070
Version:
N/A
CVE:
N/A
Published:
April 20, 2022

Summary


It has been discovered that through clever manipulation of internet search results, hackers are tricking people into installing a fake malware-infected, information-stealing Windows 11 upgrade. The hackers created a near-exact replica of the Microsoft website but infected it with malicious software. When people search for "Windows 11 upgrade" or something similar, it's possible that one of the top results is the hackers' shady website.

Description & Consequence


The malicious website used in the campaign is https://windows11-upgrade11[.]com.

According to CloudSEK, the threat actors behind this campaign are using a new malware named “Inno Stealer” due to its use of the Inno Setup Windows installer. The loader file (Delphi-based) is the “Windows 11 setup” executable contained in the ISO, which, when launched, dumps a temporary file named is-PN131.tmp and creates another .TMP file where the loader writes 3,078KB of data. The loader spawns a new process using the CreateProcess Windows API that helps spawn new processes, establish persistence, and plant four files.

Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.

Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.

The third file is a command execution utility that runs with the highest system privileges; and the fourth is a VBA script required to run dfl.cmd.

At the second stage of the infection, a file with the .SCR extension is dropped into the C:\Users\\AppData\Roaming\Windows11InstallationAssistant directory of the compromised system.

That file is the agent that unpacks the info-stealer payload and executes it by spawning a new process called “Windows11InstallationAssistant.scr”, the same as itself.

Once on the website and if a victim were to click the “DOWNLOAD NOW” button, instead of the legitimate Windows 11 upgrade, they would download a malware application specifically designed to steal their web browser data and cryptocurrency wallet information. This malware is capable of stealing information from many different web browsers, including Chrome, Edge, Opera, and lots more. All stolen data is copied via a PowerShell command to the user’s temporay directory, encrypted, and later sent to the operator’s command and control server (“windows-server031.com”). Their extra capabilities include stealing clipboard information and exfiltrating directory enumeration data. 

Solution


It is recommended to avoid downloading ISO files from obscure sources and only perform major OS upgrades from within your Windows 10 control panel or get the installation files straight from the source (https://www.microsoft.com/software-download/windows11). However, if an upgrade to Windows 11 is unavailable to you, there’s no point attempting to bypass the restrictions manually, as this will come with a set of downsides and severe security risks.

Reference


  1. https://www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/
  2. https://news.trendmicro.com/2022/04/20/windows-11-upgrade-malware/ 

Revision


Related Articles