Tuesday, April 16, 2024

Dangerous malware in a fake Windows 11 upgrade steals user passwords

CloudSEK researchers have warned of a fake Windows 11 upgrade, which hides malware that steals data from web browsers and cryptocurrency wallets


2 min read

Fake Windows 11 is offered on a website that pushes into search results and mimics Microsoft’s Windows 11 promotional page.

Microsoft offers an upgrade tool for users to check if their computer supports the company’s latest operating system. One of the conditions is support for Trusted Platform Module (TPM) version 2.0, which is present on computers that are not older than four years.

The target of this campaign is users who would like to install Windows 11 without checking if their computer has certain specifications.

The fake Windows 11 website has official Microsoft logos, favicons, and a “Download Now” button. If a visitor clicks this button, they will download an ISO file that hides the executable file for new malware that steals data. CloudSEK researchers have named the new malware “Inno Stealer” because of its use of the Inno Setup Windows installer.


Interestingly, the malware uninstalls antivirus products, including security solutions from Emsisoft and ESET, probably because these products detect it as malware.

Inno Stealer may collect web browser cookies and saved passwords, data in cryptocurrency wallets, and other data.

The malware targets a number of browsers and crypto wallets, including Chrome, Edge, Locks, Opera, Vivaldi, 360 Browser, and Comodo.

All stolen data is copied via the PowerShell command to a temporary directory, encrypted and later sent to the command and control server.

The malware can also download additional malicious code, which only happens at night, probably to take advantage of the time when the victim is not at the computer.

This is not the first time Windows 11 has been used as bait to spread malware. It is recommended to avoid downloading ISO files from suspicious sites and to upgrade the OS only from the Windows 10 control panel or to download the installation files directly from the Microsoft site.







Dudescode.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com