Fake Windows Upgrade Site Delivering Info-Stealer MalwareCybercriminals Taking Advantage of Windows 11 Upgrade
A multistage information stealer malware is targeting Windows users and stealing their data from browsers and crypto wallets using fake domains masquerading as a Windows 11 upgrade, according to CloudSEK researchers.
Researchers at the India-based cybersecurity company said they noticed a malicious actor had registered the domain "windows11-upgrade11[.]com," which they then used to spread malware by tricking users into downloading and running a fake installer.
"CloudSEK discovered a unique malware specimen disguised as a Win 11 update as part of our campaign tracking activity. Based on the analysis, the malware shows the behavior of a custom-made info stealer which doesn't resemble any commodity stealers. The CloudSEK Threat Intel coined the unique specimen as 'Inno Stealer,'" Anandeshwar Unnikrishnan, a senior threat researcher at CloudSEK tells Information Security Media Group.
Unnikrishnan says that the team has not attributed this malware to any particular group so far.
Researchers at HP Threat Research team released a similar finding in February, saying that cybercriminals were taking advantage of the final phase of the Windows 11 upgrade announced on Jan. 26 by installing RedLine Stealer malware (see: Fake Windows 11 Upgrade Installers Add RedLine Malware).
Initial Attack Vector
According to the researchers, this stealer, never before seen in the wild, is distributed using a duplicate of the legitimate Windows 11 website design that tricks users by claiming to provide Windows 11 upgrades.
The researchers say that the threat actors use SEO poisoning to lure users to the site, where they are directed to download a malicious .iso file named Windwos11-setup_11_14064.iso. But the malware loader is shipped inside this .iso file, displayed to the user as an exe file named windows11-setup_11_14064.exe.
SEO poisoning is an illegitimate technique used to achieve a higher search engine ranking for websites, often performed in an effort to spread malware by prompting visitors to these highly ranked websites to download malicious files (see: How 'SEO Poisoning' Is Used to Deploy Malware).
"On clicking the page in the results, the user is directed to the fake domain and it will prompt users to download [the] .iso file, falsely advertised as the latest Windows 11 upgrade," Unnikrishnan says.
The malware is written in the Delphi programming language, and the developers behind the malware have built the loader using Inno Setup 6.1.0, which is a free installer for Windows, developed in Delphi.
While debugging the loader, the researchers found that the metadata of the Inno Setup is loaded, which helped them understand the behavior of the loader program.
Upon further processing the downloaded malware, it creates a folder inside the Temporary directory named windows1-setup_11_14064.tmp.
"Once the file is created, the loader writes data into it. The size of the new file is 3,078 KB and MZP (Mzp file stands for mountable zip file) is the first byte. Even though the extension of this file is .tmp, it is an executable and the loader spawns a new process via the CreateProcess Windows API," they say.
When running this file, Inno Setup exhibits characteristics such as creating a child process with Windows-specific command-line arguments such as /SL5, /SPAWNWND, /DEBUGWND and /NOTIFYWND. The child process will ultimately host the code of the final payload.
"The directory path following /SL5 is the path to the parent process. This is an internal mechanism used by Inno for Inter-Process Communication and the files that need to be executed are dropped in the Temp users' directory. All the files are deleted after the installer exits and the directories created will have the following name convention: IS-XXXX.tmp," the researchers say.
In the next stage, the child installer windows11-setup_11_14064.tmp executes the malware and the loader creates a new tmp in C: directory and dumps three scripts and one tool , or application.
This script execution allows the attacker to disable system protection via Windows Registry, executes WMIC to uninstall security products installed on the target system and elevates privilege via PowerRun to exclude .scr, .cmd, .exe, etc. from Windows Defender.
Next, at the final stage of Inno Setup, a packed file with a .scr extension is dropped into the C: directory. The researchers say Windows treats .scr files as executables, which initiates the unpacking of the payload.
"The unpacker executes the payload by spawning a new process with a name identical to itself, i.e. "Windows11InstallationAssistant.scr". The unpacked payload in the memory talks to the command and control endpoints," the researchers say. "A successful unpacking leads to execution of the payload via user32.CallWindowsProcA API. This is a silent way to transfer control to the final payload code."
The final payload binary that is written in Delphi has the behavior of a stealer malware that executes stealing of user data from Desktop - stealing web browser data lsuch as cookies, browser user data, etc., and stealing data of crypto wallets and stored secrets.
"The stealer employs a multi-threading model to implement all of its features. The functions are implemented using multiple threads like network management and data-stealing," the researchers say.
The malware uses PowerShell to copy data to the user's Temp directory, which it later sends to the C2 controlled by the attacker.