A new campaign masquerading as a Windows 11 upgrade has been discovered installing Inno Stealer, a new type of info-stealing malware. The campaign relies on poisoning search results of a system to push a fake website mimicking Microsoft’s promotional page for Windows 11, which instead hosts the malware.
Upon visiting the fake Windows 11 upgrade website, an ISO file will be downloaded that contains an executable file within it. Once executed, the malware dumps additional files into the system’s Temp directory and executes them using the CreateProcess Windows API function. The malware obtains persistence by adding a shortcut file to itself in the Startup directory and uses icacls.exe to set its access permissions for stealthiness. Additional files are dropped and executed to disable Registry security, add Microsoft Defender exceptions, uninstall security products, and delete the shadow volume. Once this is complete, the main info stealing payload is executed, which looks for and collects web browser cookies and stored credentials, data in cryptocurrency wallets, and additional data from the filesystem. This data is then encrypted and sent to the malware’s Command and Control (C2) server.
This is not the first time that threat actors have used the Windows 11 upgrade situation to attempt to infect users with malware; earlier this year, threat actors used a similar tactic to trick users into installing Redline, another type of info-stealing malware.
Analyst Notes
To prevent these types of tactics from being successful, upgrades for operating systems should only be initiated from official sources. In this case, Windows 11 upgrades should only be performed from within the Windows 10 control panel or directly from Microsoft’s official Windows 11 download page on their website. Any versions that offer to bypass restrictions put in place for the Windows 11 upgrade are likely malware in disguise. For this specific campaign, the following website is used as the lure:
windows11-upgrade11[.]com
It is recommended to both block this website and search for any connections to it within an organization. Additionally, the Inno Stealer loader and payload exhibit behavioral patterns that can be monitored for and alerted upon. Behaviors like icacls.exe modifying the permissions on the Startup folder, Defender exceptions being created via scripts, and the shadow volume being deleted are all anomalous behaviors that can be alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with this detection need.
https://www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/
