Beware of fake Windows 11 upgrade, it can be malware that steals data from browsers and crypto wallets

Cybersecurity experts have found a new hacking campaign that spreads an information-stealing malware under the pretext of a Windows 11 upgrade. Here is how you can be careful against it.

Hackers are targeting Windows 11 systems with a new campaign that tricks their users into downloading and installing malware. Once on a target system, the malware is able to collect web browser cookies and other stored credentials, including data from cryptocurrency wallets as well as the file system.

The malware has been discovered by cybersecurity researchers at CloudSEK. Since it uses the Inno Setup Windows installer to establish itself on a system, the malware has been named “Inno Stealer.” In a technical report shared with BleepingComputer, the researchers mention that the Inno Stealer does not have any code similarities to other information-stealing malware of its kind.

Since its discovery, security researchers have raised alarm about the malware, as it has an extensive list of targeted browsers and cryptocurrency wallets. The browsers vulnerable to Inno Stealer include Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. The malware is able to steal the cookies and credentials stored in these web browsers and send them back to the hacker.

An added risk is posed by the fact that the malware allows hackers to fetch additional payloads onto a system. The report notes that this action is only performed at night when the victim is not likely to be at the computer. The new payloads, in the form of TXT files, are then able to further suppress the security protocols on a system. Inno Stealer is then able to steal clipboard information and exfiltrate directory enumeration data.

Since late last year, Microsoft has started rolling out Windows 11 as a free upgrade to Windows systems. However, the latest version of Windows comes with a set of hardware requirements, that some old systems do not meet. The Inno Stealer malware campaign has been designed to target users who do not pay attention to these criteria, and try to find ways to run Windows 11 on their systems.

To make it work, the threat actors poison search results on web browsers, in order to promote a malicious website that mimics an official Windows 11 page by Microsoft. The site has been laden with several components to make it believable to untrained eyes, including Microsoft logos, icons, and a “Download Now” button.

If an unsuspecting user attempts to download the "Windows 11 upgrade," they get an ISO file that contains the executable malware file. The set of files then acts to establish the malware on the system as well as hide its presence by disabling security protocols.