Corrupted sites offering bogus software, overpriced services, fake updates, and the likes are very common to be lurking on the Internet, counting on computer users that believe in its fake offers and let them introduce all application kinds, including malware. Security researchers just discovered one of this kind, that poses as a Windows 11 upgrade and, instead, installs malware that can misappropriate cryptocurrency wallets and information from the Web browser.
The malware is called Inno Stealer, and it is inside a website that pretends to be a Microsoft page promoting Windows 11 and offering a fake upgrade. If computer users access the corrupted website, they will release an ISO file containing the info-stealer threat. To gain persistence on the affected machine, the Inno Stealer adds an .LNK file in the Startup directory and, to obtain permissions for stealthiness it uses icacls.exe.
Besides deleting the Shadow Volume Copies, the Inno Stealer adds Defender exceptions, and disables security products and the Registry security by dropping two Windows Command Scripts. Then, the Inno Stealer proceeds to execute the tasks its admins programmed it for:
- Collect information from cryptocurrency wallets
- Collect information from system files
- Collect stored credentials
- Collect Web browser cookies
The collected data is added to the User's temporary directory, enciphered and sent to the Command and Control server of its developers.
The Inno Stealer is proof that using unchecked, unfamiliar sources to download new software, updates, etc. is not a good choice because it may end up bringing huge problems for the computer user.