Warning: fake Microsoft lookalike Windows 11 download site unsurprisingly downloads virus
Since Windows 11 was first announced in June 2021, there have been numerous campaigns to trick people into downloading fake, malicious Windows 11 installers. some time it looks like she’s back and this time it’s probably a lot more deadly.
Indeed, at the time, Windows 11 was not available to the public, but only to insiders, who are probably more savvy and knowledgeable. However, Windows 11 has since been generally available, making it a dangerous scenario these days.
A new malware campaign of a similar nature has been uncovered by cybersecurity firm CloudSEK after it noticed a new impostor website that looks like Microsoft’s, but actually distributes files containing what researchers call malware. “Inno Stealer” malware due to the use of Inno Setup Windows installer. This is a new thief malware as no similar sample was found on Virus Total.
The URL of the malicious website is “windows11-upgrade11[.]com” and it appears that threat actors from the Inno Stealer campaign took a page from another similar malware campaign a few months ago that used the same trick to trick potential victims. The last one has already been removed at time of reporting but the new one is still in place so readers are advised to trade with caution.
CloudSEK reports that while downloading the infected ISO, several processes are running in the background to neutralize an infected user’s system. It creates Windows command scripts to disable registry security, adds Defender exceptions, uninstalls security products and deletes shadow volumes.
Finally, an .SCR file is created which is the one that actually delivers the malicious payload, in this case, the new Inno Stealer malware in the following directory of a compromised system:
The name of the malware payload file is “Windows11InstallationAssistant.scr”.
Here is the whole process explained in a diagram:
CloudSEK has identified the following targets, including browsers and crypto wallets, that the Inno information-stealing malware looks for. These are illustrated in the image below. First, we have browsers followed by crypto wallets:
Here is the official link to download Windows from real Microsoft website. You can also follow reputable news websites like Neowin among others, as we often link to official Microsoft ISO download pages when published by the Redmond firm.
Source and images: CloudSEK via BleepingComputer