Jump to content
  • Beware: Microsoft lookalike fake Windows 11 download website unsurprisingly downloads virus


    Karlston

    • 586 views
    • 3 minutes
     Share


    • 586 views
    • 3 minutes

    Ever since Windows 11 was first announced back in June of 2021, there have been many campaigns aimed at duping people into downloading fake malicious Windows 11 installers. While that activity seemed to die down for a while, it looks like it is back again and this time, the situation is probably much deadlier.

     

    That's because Windows 11 back then was not available to the public but only to Insiders, who are presumably more tech-savvy and informed. However, Windows 11 has since been generally available making it a dangerous scenario nowadays.

     

    A new malware campaign of similar nature was discovered by CloudSEK cybersecurity firm as it noticed a new impostor website that looks like Microsoft's, but in reality, distributes files containing what the researchers are calling "Inno Stealer" malware due to the use of Inno Setup Windows installer. This is a novel stealer malware as no similar sample was found on Virus Total.

     

    The malicious website's URL is "windows11-upgrade11[.]com" and it appears that the threat actors of the Inno Stealer campaign took a page from another similar malware campaign a couple of months ago which was using the same trick to fool potential victims. The last one was already taken down at the time of reporting but the new one is still up so it is advised to readers to trade carefully.

     

    1650309819_widows_11_fake_malware_websit

     

    CloudSEK says that upon downloading the infected ISO, multiple processes are run in the background to neutralize an infected user's system. It creates Windows Command Scripts to disable Registry security, adds Defender exceptions, uninstalls security products, and deletes shadow volumes.

     

    Finally, an .SCR file is created which is the one which actually delivers the malicious payload, in this case, the novel Inno Stealer malware in the following directory of a compromised system:

    C:\Users\\AppData\Roaming\Windows11InstallationAssistant

    The name of the malware payload file is "Windows11InstallationAssistant.scr".

     

    Here is the entire process explained in a diagram:

     

    1650312384_fake_windows_11_upgrade_websi

     

    CloudSEK has identified the following targets, including browsers and crypto wallets, that the Inno info stealer malware is after. These are shown in the image below. First up we have the browsers followed by the crypto wallets:

     

    1650312390_inno_stealer_targets_story.jp

     

    Here is the official link to download Windows from the real Microsoft website. You can also follow reputed news websites like Neowin, among others, as we often link to official Microsoft ISO download pages when they are released by the Redmond firm.

     

    Source and images: CloudSEK via BleepingComputer

     

     

    Beware: Microsoft lookalike fake Windows 11 download website unsurprisingly downloads virus


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...