Hackers seek to trick users with a fake Windows 11 upgrade whose goal is to install malware on your computer that will steal credentials stored in your browser and any cryptocurrency wallet.
Currently, the campaign is active and relies on poisoning internet search results to promote a website that is a copy of the official promotion page for Windows 11, like the one found on the Microsoft website. Except that in this case, the user is downloading malware and not a Windows 11 upgrade utility.
As seen in the image below, the "windows11-upgrade11[.]com" site uses the same layout, logos, etc... as the Microsoft site. The user downloads a malicious ISO file by clicking on the "Download now" button.
How does Inno Stealer malware work?
Security researchers at CloudSEK have analyzed the malware hiding in this malicious ISO image. First, it now has a name: Inno Stealer, in reference to Inno Setup Windows Installer. In terms of its code, it has no similarity with other malware of the same kind. The malware is set up on the PC thanks to the "Windows 11 setup" executable file, and it will quickly become persistent by creating a shortcut in the "Startup" folder of the machine.
More specifically, the malware will perform several actions on the machine:
Disable Windows Registry Security
Add exceptions in Windows Defender
Delete Shadow Copies
Uninstall security products, including Emsisosft and ESET, as these products can detect it
A process called "Windows11InstallationAssistant.scr" runs on the machine to start stealing information saved in browsers, particularly in Chrome, Edge, Brave, Opera, or even Vivaldi. Furthermore, it will steal your possible cryptocurrency wallet since it checks different locations on the system.
The data collected by the malware is exfiltrated to the "windows-server031.com" server, and it is worth pointing out that the malware relies on a multi-threaded process to be more efficient. Finally, this new malware seems effective and remarkably successful.