Security staff discover new fake ‘Microsoft Windows 11 download site’ containing malicious virus installers

IT House news on April 19, according to Neowin, since Windows 11 Since its initial release in June 2021, there have been numerous campaigns designed to lure people into downloading fake malicious Windows 11 installers. While this activity has subsided for a while, it appears to be making a comeback now, this time in a potentially more deadly situation. Windows 11 is generally available today, making it a dangerous scenario today.

CloudSEK cybersecurity firm discovered a new malware of a similar nature, the new impostor site looks like the official Microsoft site, but in fact, due to the use of Inno Setup Windows, the distributed files contain the “Inno Stealer” malware installer. This is a novel information-stealing malware, and no similar samples were found on Virus Total.

The URL of the malicious website is “windows11-upgrade11 [.] com”, it appears that the Inno Stealer campaign planners took pages from another similar malware campaign a few months ago, using the same trick to trick potential victims.

After downloading the infected ISO, several processes run in the background to infect users’ systems, CloudSEK said. It creates Windows command scripts to disable registry security, add Defender exclusions, uninstall security products and delete shadow volumes.

Finally, a .SCR file is created, which is the file that actually delivers the malicious payload, in this case the new Inno Stealer malware in the following directory on the infected system:

C:UsersAppDataRoamingWindows11InstallationAssistant

The name of the malware payload file is “Windows11InstallationAssistant.scr”.

Here is the whole process explained with a diagram:

CloudSEK has identified the targets pursued by the Inno info-stealing malware, including browsers and crypto wallets. These are shown in the image below. First, the browser, then the crypto wallet: