A new campaign masquerading as a Windows 11 upgrade has been discovered installing Inno Stealer, a new type of info-stealing malware. The campaign relies on poisoning search results of a system to push a fake website mimicking Microsoft’s promotional page for Windows 11, which instead hosts the malware.
Upon visiting the fake Windows 11 upgrade website, an ISO file will be downloaded that contains an executable file within it. Once executed, the malware dumps additional files into the system’s Temp directory and executes them using the CreateProcess Windows API function. The malware obtains persistence by adding a shortcut file to itself in the Startup directory and uses icacls.exe to set its access permissions for stealthiness. Additional files are dropped and executed to disable Registry security, add Microsoft Defender exceptions, uninstall security products, and delete the shadow volume. Once this is complete, the main info stealing payload is executed, which looks for and collects web browser cookies and stored credentials, data in cryptocurrency wallets, and additional data from the filesystem. This data is then encrypted and sent to the malware’s Command and Control (C2) server.
This is not the first time that threat actors have used the Windows 11 upgrade situation to attempt to infect users with malware; earlier this year, threat actors used a similar tactic to trick users into installing Redline, another type of info-stealing malware.