Tuesday, October 4, 2022

Fake Windows 11 update that can steal your data

Lately, a fake windows 11 update has circulated the internet, which is risking the users’ safety. It is spreading malware that could steal a user’s personal information. The reason why this malicious software is making rounds is because of its nature of it, which is quite interesting and has raised some brows from security researchers. Researchers from CloudSEK have analyzed this scam and have shared the results with the rest of the world.

The attackers that created this fake update have managed to replicate the Window’s official website. It has a very inviting ‘Download Now’ button, that has scammed a lot of users globally. By clicking the download button, on the user’s PC, a 1.5 MB ZIP file is downloaded that contains the executable files inside.

windows 11
Fake Windows 11 update interface (windows11-upgrade11[.]com)

According to researchers, this is a new form of malware, that they named ‘Inno Stealer’ due to its use of the Inno Setup Windows installer. The “Windows 11 setup” executable found inside the ISO when launched creates a temporary file named PN131.tmp, and another.TMP file that writes 3,078KB of data to the infected PC. CloudSEK researchers explained that this loader helps initiate new processes using the ‘Create Process Windows API’ which starts new processes and plants four files within the system.

Windows 11

The first two files are Windows commands that disable Registry security and add Defender exception, by even uninstalling some security products. The third file is a command that when executed, run with the highest system privileges. Meanwhile, the last file VBA script is required to run dfl.cmd (Windows domain functional level). This marks the ending of the first stage of the infection. Meanwhile, the second one begins in which another file with an SCR extension is dropped inside the User’s- App Data directory of the system. This file contains the malicious payload which begins the execution ready to steal information from the victim’s personal computer.

Inno Stealer

The Inno Stealer’s infection chain (credits to: CloudSEK)

The Inno Stealer targets browsers and crypto wallets, which includes stealing web browser cookies and storing information in crypto wallets in different file systems. This malware can even attack the biggest browsers in the world like Chrome, Edge, Opera, etc. One interesting thing about the Inno Stealer is that it also has additional payloads that can be executed possibly during the nighttime when the victim is not in front of the PC.

Overall, this situation has caused a lot of commotion, where the users are frightened about their security. We must say that this is not the first time that a similar situation has been reported. Microsoft has been attacked in ways like this even before. But this time this issue seems to be more complex, where the user is being deceived daily. Therefore, it is recommended that we must download updates from within our control panel, or from the official resources, but never from third-party resources. If the update is not available right away, we mustn’t hurry to get the update manually and causing the raise of the security risks that may come with it.

Kristi Shehu
Kristi Shehu
My name is Kristi and I am a Cyber Security engineer and a freelance cyber analyst writer, based in Tirana Albania. I write about technology on online Medias, with a focus on cyber news and the latest trends in the security world, as seen from the POV of a cyber-professional. I love sharing my thoughts and opinions about different cyber topics, emerging technologies evolving in cyber-tech companies or Startups around the world. So, if you ever feel like sharing your work, projects, or your new up and running Startup, feel free to drop me a line.

Related Articles

Latest Articles