Unofficial Windows 11 update installs malware to steal information

Hackers are luring unsuspecting users with a fake Windows 11 update that comes with malware that steals browser data and cryptocurrency wallets.

The campaign is currently active and is based on poisoning search results to push a website that mimics Microsoft’s promotional page for Windows 11, to offer the information thief.

Microsoft offers an update tool for users to check if their machine is compatible with the company’s latest operating system (OS). One requirement is support for the Trusted Platform Module (TPM) version 2.0, which is present on machines that are no more than four years old.

Hackers prey on users who rush to install Windows 11 without taking the time to learn that the operating system must meet certain specifications.

The malicious website offering fake Windows 11 is still active at the time of writing. It features official Microsoft logos, favicons, and an attractive “Download Now” button.

malicious website
Malicious website used in the campaign (windows11-upgrade11[.]com)

If the visitor loads the malicious website via a direct connection (download is not available via TOR or VPN), they will get an ISO file that protects the executable from new information-stealing malware.

CloudSEK threat researchers analyzed the malware and shared a white paper exclusively with BleepingComputer.

infection process

According to CloudSEK, the threat actors behind this campaign are using new malware that researchers named “Inno Stealer” due to its use of the Windows Inno Setup installer.

The researchers say that Inno Stealer bears no code similarities to other information stealers currently in circulation and have found no evidence that the malware was uploaded to the Virus Total scanning platform.

The loader file (based on Delphi) is the “Windows 11 Setup” executable contained in the ISO, which, when launched, downloads a temporary file called en-PN131.tmp and creates another .TMP file where the loader writes 3078 KB of data.

CloudSEK explains that the loader spawns a new process using the creation process The Windows API helps spawn new processes, establish persistence, and plant four files.

Persistence is achieved by adding a .LNK file (shortcut) to the Home directory and using icacls.exe to set your access permissions for stealth.

Creating a process to establish persistence
Creating a process to establish persistence (CloudSEK)

Two of the four deleted files are Windows scripts to disable registry security, add Defender exceptions, uninstall security products, and delete the hidden volume.

According to the researchers, the malware also removes security solutions from Emsisoft and ESET, probably because these products detect it as malicious.

The third file is a command execution utility that runs with the highest system privileges; and the fourth is a VBA script required to run dfl.cmd.

In the second stage of the infection, a file with the .SCR extension is placed in the C:UsersAppDataRoamingWindows11InstallationAssistant directory of the compromised system.

That file is the agent that unpacks the data stealer’s payload and executes it by spawning a new process named “Windows11InstallationAssistant.scr”, just like itself.

infection chain
The Inno Stealer chain of infection (CloudSEK)

Inno Stealer capabilities

Inno Stealer’s capabilities are typical for this type of malware, including the collection of web browser cookies and stored credentials, data in cryptocurrency wallets, and file system data.

The set of specific browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo.

Web browsers attacked by Inno Stealer
Web browsers attacked by Inno Stealer (CloudSEK)
Crypto Wallets Attacked by Inno Stealer
Crypto Wallets Attacked by Inno Stealer (CloudSEK)

An interesting feature of Inno Stealer is that the network management and data stealing functions are multi-threaded.

All stolen data is copied via a PowerShell command to the user’s temporary directory, encrypted, and then sent to the operator’s command and control server (“”).

Malware communication with C2
Malware communication with the C2 (CloudSEK)

The thief can also obtain additional payloads, an action that is only performed at night, possibly to take advantage of a period when the victim is not at the computer.

These additional Delphi payloads, which take the form of TXT files, employ the same Inno-based loader that messes with host security tools and use the same persistence setting mechanism.

Its additional capabilities include clipboard information theft and directory listing data exfiltration.

Security advice

The whole Windows 11 update situation has created fertile ground for the proliferation of these campaigns, and this is not the first time something like this has been reported.

It is recommended to avoid downloading ISO files from unknown sources and only perform major OS updates from the Windows 10 control panel or get the installation files directly from the source.

If an upgrade to Windows 11 is not available to you, there is no point in trying to bypass the restrictions manually, as this will lead to a number of inconveniences and serious security risks.

Add Comment