Ever since Windows 11 was first announced back in June of 2021, there have been many campaigns aimed at duping people into downloading fake malicious Windows 11 installers. While that activity seemed to die down for a while, it looks like it is back again and this time, the situation is probably much deadlier.
That's because Windows 11 back then was not available to the public but only to Insiders, who are presumably more tech-savvy and informed. However, Windows 11 has since been generally available making it a dangerous scenario nowadays.
A new malware campaign of similar nature was discovered by CloudSEK cybersecurity firm as it noticed a new impostor website that looks like Microsoft's, but in reality, distributes files containing what the researchers are calling "Inno Stealer" malware due to the use of Inno Setup Windows installer. This is a novel stealer malware as no similar sample was found on Virus Total.
The malicious website's URL is "windows11-upgrade11[.]com" and it appears that the threat actors of the Inno Stealer campaign took a page from another similar malware campaign a couple of months ago which was using the same trick to fool potential victims. The last one was already taken down at the time of reporting but the new one is still up so it is advised to readers to trade carefully.
CloudSEK says that upon downloading the infected ISO, multiple processes are run in the background to neutralize an infected user's system. It creates Windows Command Scripts to disable Registry security, adds Defender exceptions, uninstalls security products, and deletes shadow volumes.
Finally, an .SCR file is created which is the one which actually delivers the malicious payload, in this case, the novel Inno Stealer malware in the following directory of a compromised system:
C:\Users\\AppData\Roaming\Windows11InstallationAssistant
The name of the malware payload file is "Windows11InstallationAssistant.scr".
Here is the entire process explained in a diagram:
CloudSEK has identified the following targets, including browsers and crypto wallets, that the Inno info stealer malware is after. These are shown in the image below. First up we have the browsers followed by the crypto wallets:
Here is the official link to download Windows from the real Microsoft website. You can also follow reputed news websites like Neowin, among others, as we often link to official Microsoft ISO download pages when they are released by the Redmond firm.
Source and images: CloudSEK via BleepingComputer
24 Comments - Add comment