fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Unofficial Windows 11 Upgrade Installs Info-stealing Malware

Unofficial Windows 11 Upgrade Installs Info-stealing Malware

Hackers are luring unsuspecting users with a fake Windows 11 upgrade that comes with malware that steals browser data and cryptocurrency wallets.

The campaign is currently active and relies on poisoning search results to push a website mimicking Microsoft’s promotional page for Windows 11, to offer the information stealer.

Microsoft offers an upgrade tool for users to check if their machine supports the latest operating system (OS) from the company. One requirement is support for Trusted Platform Module (TPM) version 2.0, which is present on machines that not older than four years.

The hackers are preying on users that jump at installing Windows 11 without spending the time to learn that the OS needs to meet certain specifications.

The malicious website offering the fake Windows 11 is still up at the time of writing. It features the official Microsoft logos, favicons, and an inviting “Download Now” button.

malicious website
Malicious website used in the campaign (windows11-upgrade11[.]com)

If the visitor loads the malicious website via direct connection – download is unavailable over TOR or VPN, they will get an ISO file that shelters the executable for a novel info-stealing malware.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

Threat researchers at CloudSEK have analyzed the malware and shared a technical report exclusively with BleepingComputer.

Infection process

According to CloudSEK, the threat actors behind this campaign are using a new malware that researchers named “Inno Stealer” due to its use of the Inno Setup Windows installer.

The researchers say that Inno Stealer doesn’t have any code similarities to commodity other info-stealers currently in circulation and they have not found evidence of the malware being uploaded to the Virus Total scanning platform.

The loader file (Delphi-based) is the “Windows 11 setup” executable contained in the ISO, which, when launched, dumps a temporary file named is-PN131.tmp and creates another .TMP file where the loader writes 3,078KB of data.

CloudSEK explains that the loader spawns a new process using the CreateProcess Windows API the helps spawn new processes, establish persistence, and plant four files.

Persistence is achieved by adding an .LNK (shortcut) file in the Startup directory and using icacls.exe to set its access permissions for stealthiness.

Creating a process to establish persistence
Creating a process to establish persistence (CloudSEK)

Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.

According to the researchers, the malware also removes security solutions from Emsisoft and ESET, likely because these products detect it as malicious.

The third file is a command execution utility that runs with the highest system privileges; and the fourth is a VBA script required to run dfl.cmd.

At the second stage of the infection, a file with the .SCR extension is dropped into the C:\Users\\AppData\Roaming\Windows11InstallationAssistant directory of the compromised system.

Also Read: Data Protection Officer Singapore | 10 FAQs

That file is the agent that unpacks the info-stealer payload and executes it by spawning a new process called “Windows11InstallationAssistant.scr”, the same as itself.

Infection chain
The Inno Stealer’s infection chain (CloudSEK)

Inno Stealer capabilities

The capabilities of Inno Stealer are typical for this kind of malware, including collecting web browser cookies and stored credentials, data in cryptocurrency wallets, and data from the filesystem.

The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo.

Web browsers targeted by Inno Stealer
Web browsers targeted by Inno Stealer (CloudSEK)
Crypto wallets targeted by Inno Stealer
Crypto wallets targeted by Inno Stealer (CloudSEK)

An interesting characteristic of Inno Stealer is that the network management and the data-stealing functions are multi-threaded.

All stolen data is copied via a PowerShell command to the user’s temporay directory, encrypted, and later sent to the operator’s command and control server (“windows-server031.com”)

Malware's communication with the C2
Malware communication with the C2 (CloudSEK)

The stealer can also fetch additional payloads, an action only performed at night time, possibly to take advantage of a period when the victim is not at the computer.

These additional Delphi payloads, which take the form of TXT files, employ the same Inno-based loader that fiddles with the host’s security tools and use the same persistence-establishment mechanism.

Their extra capabilities include stealing clipboard information and exfiltrating directory enumeration data.

Security advice

The whole Windows 11 upgrade situation has created a fertile ground for the proliferation of these campaigns, and this is not the first time that something like that has been reported.

It is recommended to avoid downloading ISO files from obscure sources and only perform major OS upgrades from within your Windows 10 control panel or get the installation files straight from the source.

If an upgrade to Windows 11 is unavailable to you, there’s no point attempting to bypass the restrictions manually, as this will come with a set of downsides and severe security risks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us