BEWARE OF THE MALICIOUS WINDOWS 11 UPGRADE

Hackers are going around to unsuspecting windows users, luring them in with the opportunity to upgrade their computers. The upgrade contains malware that collects browsing history and your cryptocurrency wallets, making it impossible for you to regain any of your lost data.

Microsoft’s Windows 11 is the victim of a malicious advert campaign that relies on poisoning search results. The ads push a website mimicking Microsoft’s promotional page for Windows 11 to offer information stealer.

If you are using a computer less than four years old, it has TPM version 2.0 and is compatible with Microsoft’s latest operating system.

Decryptor Released for Victims of Ransomware

The attackers are hunting users who directly want to install the Windows 11 update without learning the requirements that are needed by the OS. The malware website is still redirecting to the official Microsoft site and features the same logos. Malicious website URL will be tracked when it is accessed through a direct connection, but not downloaded. CloudSEK Threat Researchers have analyzed malware and shared the findings.

Malicious Process

A new type of malware has been created, called Inno Stealer. This threat actor can be attributed to a campaign that uses the name. The new malware is associated with the Inno Setup Windows installer. A Windows 11 installer executable is on the ISO file that dumps a temporary file and creates a new one with 3,078KB of data.

Overwrites Data

CloudSEK explains that the loader spawns new processes to help it establish persistence and plant four files. Persistence can be achieved by creating a shortcut on Startup and using icacls.exe to set it for stealthiness. The executable file is capable of disabling and deleting security products, and it also has the potential to overwrite Windows registry data.

According to the researchers, malicious software targets Emsisoft and ESET products because these products identify them as malicious. The third file is a command that runs as the highest common user to run a command with elevated privileges, and the fourth is a VBA script to execute the command.

Files with the.SCR extensions are dropped into the C: U directory at the second stage of your system being compromised. These files will be found in the C: Users\AppDataRoamingWindows11InstallationAssistant directory. The film unpacks the payload and then executes it in a new process.

Abilities of Stealing

Some of the capabilities of this kind of malware include collecting web browser cookies and stored credentials, data in cryptocurrency wallets, and data from the filesystem.

This tool supports many browsers and wallets, including Chrome, Edge, Vivaldi, and Comodo. The most interesting thing about Inno Stealer is that the data-stealing function is multi-threaded. The stolen data is copied via a PowerShell command to the presumed operator’s temporary directory, encrypted, and then sent to their C2 server (“windows-server031.com”). The stealer can also fetch additional payloads, this is an intentional action and probably time coordinated with when the victim is not at their computer. The attacker uploads a text file containing payload data, which the tool will then modify security features and set up to persist on the host.

Safeguarding Security Boundaries

With the difficulty of upgrading to Windows 11, there has been an increase in fake news web pages that want to steal passwords. It is important to only download Windows 10 updates from within Windows 10 and to only upgrade your system from within the control panel.

If you don’t have Windows 11, there is no point in attempting to bypass the restrictions manually. This will result in liabilities and major security risks.