Cybersecurity researchers have detailed a new cybercrime campaign that spreads an information-stealing malware by pretending to be a Windows 11 upgrade. Windows 11 is the latest version of Microsoft's desktop operating system and has largely been well-received by users. However, the stringent system requirements mean that many perfectly good computers are not officially eligible to receive the update. Desperate for the latest software, people are trying all sorts of quick fixes and unofficial methods to install Windows 11 on their computers, giving malicious actors plenty of soft targets to prey on.
Cybercrimes have been rising recently, reaching their peak during the pandemic. Several different types of cybercrimes have seen an uptick during this time, including phishing, ransomware, spyware, crypto scams and more. Another popular method involves using fake software, including phony antivirus apps, to deliver malicious payloads. According to an FBI report, last year was an exceptionally bad year for cybercrime victims, with people reportedly losing almost $7 billion to online attacks and scams.
Security researchers at CloudSEK uncovered a fake Windows 11 upgrade website that delivered data-stealing malware to Windows PCs. According to Bleeping Computer, which has exclusive access to the research report, the malware can steal data from web browsers and crypto-wallets. The website, which has now been taken down, reportedly looked near-identical to Microsoft's original Windows 11 upgrade site, with authentic-looking logos, fonts and design. The site promised to assist users in installing Windows 11 on unsupported systems but instead offered a malware-laden ISO file for download. The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer.
In terms of modus operandi, the malware is said to run multiple processes, including some that run scripts to disable various Windows security features, including the Registry security. The malware also adds exceptions to the built-in Windows Defender antivirus and even uninstalls third-party security programs from Emsisoft and ESET. Once all the security software is disabled, the malware then runs commands with the highest system privileges and creates a process called Windows11InstallationAssistant.scr that contains the data-stealing code. In addition, it can reportedly read information from web browsers, including stored cookies, login credentials and more.
Almost all mainstream web browsers are vulnerable to the Inno Stealer, with the possible exception of Firefox. The report mentions Chrome, Edge, Opera, Vivaldi, Comodo, Brave, Torch, and a whole host of other browsers as being vulnerable to the malware, but Firefox is conspicuous by its absence from the list. As for the malware itself, it can also apparently read data stored in crypto wallets and from the computer's filesystem. Overall, the Inno Stealer malware can wreak havoc on any PC, but problems like this are generally easy to avoid. The researchers recommend that users avoid downloading ISO files from untrustworthy sources and stick to the official Windows update channel to get updates. There are ways to safely install Windows 11 on officially unsupported systems, but this is not it.
Source: Bleeping Computer