# Unofficial Windows 11 upgrade installs info-stealing malware **[bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/](https://www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) April 18, 2022 01:18 PM 0 ----- Hackers are luring unsuspecting users with a fake Windows 11 upgrade that comes with malware that steals browser data and cryptocurrency wallets. The campaign is currently active and relies on poisoning search results to push a website mimicking Microsoft's promotional page for Windows 11, to offer the information stealer. Microsoft offers an upgrade tool for users to check if their machine supports the latest operating system (OS) from the company. One requirement is support for Trusted Platform Module (TPM) version 2.0, which is present on machines that not older than four years. The hackers are preying on users that jump at installing Windows 11 without spending the time to learn that the OS needs to meet certain specifications. The malicious website offering the fake Windows 11 is still up at the time of writing. It features the official Microsoft logos, favicons, and an inviting “Download Now” button. ----- **Malicious website used in the campaign (windows11-upgrade11[.]com)** If the visitor loads the malicious website via direct connection - download is unavailable over TOR or VPN, they will get an ISO file that shelters the executable for a novel infostealing malware. Threat researchers at [CloudSEK have analyzed the malware and shared a technical report](https://cloudsek.com/) exclusively with BleepingComputer. ## Infection process According to CloudSEK, the threat actors behind this campaign are using a new malware that researchers named “Inno Stealer” due to its use of the Inno Setup Windows installer. The researchers say that Inno Stealer doesn’t have any code similarities to commodity other info-stealers currently in circulation and they have not found evidence of the malware being uploaded to the Virus Total scanning platform. The loader file (Delphi-based) is the “Windows 11 setup” executable contained in the ISO, which, when launched, dumps a temporary file named is-PN131.tmp and creates another .TMP file where the loader writes 3,078KB of data. CloudSEK explains that the loader spawns a new process using the CreateProcess Windows API the helps spawn new processes, establish persistence, and plant four files. Persistence is achieved by adding an .LNK (shortcut) file in the Startup directory and using _icacls.exe to set its access permissions for stealthiness._ ----- **Creating a process to establish persistence** _(CloudSEK)_ Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume. According to the researchers, the malware also removes security solutions from Emsisoft and ESET, likely because these products detect it as malicious. The third file is a command execution utility that runs with the highest system privileges; and the fourth is a VBA script required to run dfl.cmd. At the second stage of the infection, a file with the .SCR extension is dropped into the C:\Users\\AppData\Roaming\Windows11InstallationAssistant directory of the compromised system. That file is the agent that unpacks the info-stealer payload and executes it by spawning a new process called “Windows11InstallationAssistant.scr”, the same as itself. ----- **The Inno Stealer's infection chain** _(CloudSEK)_ ## Inno Stealer capabilities The capabilities of Inno Stealer are typical for this kind of malware, including collecting web browser cookies and stored credentials, data in cryptocurrency wallets, and data from the filesystem. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. **Web browsers targeted by Inno Stealer** _(CloudSEK)_ ----- **Crypto wallets targeted by Inno Stealer** _(CloudSEK)_ An interesting characteristic of Inno Stealer is that the network management and the datastealing functions are multi-threaded. All stolen data is copied via a PowerShell command to the user’s temporay directory, encrypted, and later sent to the operator’s command and control server (“windowsserver031.com”) **Malware communication with the C2** _(CloudSEK)_ The stealer can also fetch additional payloads, an action only performed at night time, possibly to take advantage of a period when the victim is not at the computer. ----- These additional Delphi payloads, which take the form of TXT files, employ the same Innobased loader that fiddles with the host’s security tools and use the same persistenceestablishment mechanism. Their extra capabilities include stealing clipboard information and exfiltrating directory enumeration data. ## Security advice The whole Windows 11 upgrade situation has created a fertile ground for the proliferation of [these campaigns, and this is not the first time that something like that has been reported.](https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/) It is recommended to avoid downloading ISO files from obscure sources and only perform major OS upgrades from within your Windows 10 control panel or get the installation files [straight from the source.](https://www.microsoft.com/software-download/windows11) If an upgrade to Windows 11 is unavailable to you, there’s no point attempting to bypass the restrictions manually, as this will come with a set of downsides and severe security risks. [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/windows-10-21h2-now-in-broad-deployment-available-to-everyone/) [Next Article](https://www.bleepingcomputer.com/news/security/hackers-steal-655k-after-picking-metamask-seed-from-icloud-backup/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----