This windows 11 update will download a malware on your computer that will collect browser data and cryptocurrency wallets

Hackers are tricking users into installing a bogus Windows 11 upgrade that includes malware that collects browser data and cryptocurrency wallets.

The effort is still running, and it works by poisoning search results to drive traffic to a website that looks like Microsoft’s Windows 11 advertising page and offers the data thief.

Users can use Microsoft’s upgrade tool to see if their machine is compatible with the company’s most recent operating system (OS). Support for the Trusted Platform Module (TPM) version 2.0, which is found on machines that are less than four years old, is one of the requirements.

The hackers are preying on people who rush to install Windows 11 without first learning that the OS must meet certain requirements.

At the time of writing, the rogue website advertising the false Windows 11 was still active. The official Microsoft emblems, favicons, and a welcoming “Download Now” button are all included.

If a visitor accesses the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new data-stealing malware.

CloudSEK threat researchers researched the ransomware and shared a technical report with BleepingComputer exclusively.

The process of infection

The threat actors behind this effort, according to CloudSEK, are using a new malware called “Inno Stealer” since it uses the Inno Setup Windows installer.

According to the researchers, Inno Stealer has no code in common with other currently circulating info-stealers, and there is no evidence of the virus being uploaded to the Virus Total scanning site.

The “Windows 11 setup” programme provided in the ISO is the loader file (Delphi-based), which, when started, dumps a temporary file named is-PN131.tmp and produces another.

The loader writes 3,078KB of data to the TMP file.

The loader uses the CreateProcess Windows API to help create new processes, establish persistence, and plant four files, according to CloudSEK.

Persistence is achieved by placing a.LNK (shortcut) file in the Startup directory and setting its access rights with icacls.exe.

Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow disc are two of the four files lost.

The malware also disables security solutions from Emsisoft and ESET, according to the researchers, most likely because these products recognise it as harmful.

The third and fourth files are a command execution tool that runs with the maximum system rights and a VBA script that is necessary to launch dfl.cmd.

A file with the.SCR extension is dumped into the compromised system’s C:UsersAppDataRoamingWindows11InstallationAssistant directory during the second stage of the infection.

That file is the agent, which unpacks the info-stealer payload and runs it by starting a new process named “Windows11InstallationAssistant.scr,” which is identical to itself.

Capabilities of the Inno Stealer
Inno Stealer’s capabilities are typical of this type of malware, including the ability to collect web browser cookies and credentials, data from cryptocurrency wallets, and data from the disc.

Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo are among the browsers and crypto wallets that have been targeted.

The network management and data-stealing functionalities of Inno Stealer are multi-threaded, which is a unique feature.

All stolen data is copied to the user’s temporary directory through a PowerShell command, encrypted, and then sent to the operator’s command and control server (“”).

The stealer can also fetch extra payloads, which he or she does solely at night, potentially to take advantage of the victim’s absence from the computer.

These additional Delphi payloads, which are TXT files, use the same Inno-based loader that messes with the host’s security tools and uses the same persistence technique.

They also have the ability to grab clipboard data and exfiltrate directory enumeration data.

Advice about safety

The whole Windows 11 upgrade problem has produced fertile ground for the spread of these operations, and this isn’t the first time it’s been reported.

Avoid downloading ISO files from unknown sites and instead, undertake significant OS updates through the Windows 10 control panel or by obtaining the installation files directly from the source.

If you can’t update to Windows 11, there’s no point in attempting to circumvent the restrictions manually, as this will come with a slew of drawbacks and serious security threats.

This news piece was made with inputs from bleepingcomputer.