Posted on April 19, 2022 at 7:06 PM
Threat actors are increasingly looking for avenues to plant malware and disrupt network operations to make financial gains through ransoms and other means.
And as cybersecurity intensifies, the bad actors regularly upgrade their attack methods and level of sophistication.
Since the COVID-19 pandemic started over two years ago, cybercriminals have device more means to exploit vulnerabilities, especially against computer systems and devices used remotely to connect to company servers. Some of the bad actors are targeting their victims via various phishing websites by offering fake promotional items and stealing users’ account details in the process.
Now, a recent report revealed that threat actors are using fake Windows 11 upgrade that comes with malware to steal cryptocurrency wallets and browser data.
Attackers Are Taking Advantage Of User’s Lack Of Diligence
Security researchers say the campaign is ongoing and poisons research results to send a website faking Microsoft’s Windows 11 promotional page to deliver the information stealer.
The bad actors are taking advantage of users that are quick to install Windows 11 without spending enough time to understand that the OS requires certain specifications.
At the time of writing, the malicious website that offers the fake Windows 11 has not been brought down. It is made to look real as it features the official Microsoft logo and places a “Download Now” button.
CloudSEK researchers, which initially discovered the issue, stated that the malware is part of a campaign that uses fake domains when hosting the payload deployed to the computer system or device of the user.
The Researchers Discovered Fake Domains Hosting Windows 11 Upgrade
Windows 11 was officially made available in October 2021. Most after it was rolled out, hackers have started targeting the operating system. Even when it was still a beta version, threat actors were still targeting users by offering Windows 11 upgrades. Last year, a cybersecurity outfit discovered a Windows 11-themed malware campaign that targeted users.
Apart from this latest development, threat actors have continuously used malware posing as Windows upgrades to target users. The Windows 10 system has suffered and is still suffering similar Windows upgrade-themed attacks. Following the rampant attacks on targeted Windows users, Microsoft issued a security advisory to warn users that cybercriminals could reach out to them to offer fake Windows 10 upgrades. The tech giant warned that users that open the attachment sent via the mail could be injecting malware into their systems.
The latest stealer malware was discovered by ClouSEK researchers. They disassembled the malware and reverse-engineered its infection and attack process for a proper understanding of its payload injection and installation.
According to the researchers, the malware is built with the Delphi programming language while the binary it uses is coded in Visual Basic before it was altered into executables. The threat actors used an open-source Batch obfuscator to obscure the malware code while utilizing the Inno Setup 6.1.0 as the loader’s installer
As the ClouSEK researchers were scanning the internet for real-time threats, they uncovered a bogus domain that was hosting Windows 11 update. After carrying out more analysis, the researchers saw that the domain was being utilized for the deployment of stealer malware on the user’s system.
The Attackers Lure Users Using SEO Poisoning
The main discovery showed that the threat actors are luring users to a bogus Windows 11 upgrade with SEO poisoning tactics. The fake site, according to the researchers, directs users to download the malicious file masquerading as the Windows 11 upgrade. Once the unsuspecting user downloads the malicious file, multi-stage malware is launched on the system.
The crypto stealer proceeds to steal users’ data, irrespective of the type of the browser on the targeted system. This means that once the malware enters the system, all critical information about the user’s cryptocurrency wallet can be stolen.
The malware then encrypts and delivers the stolen file to the control server (C2) of the attacker. As remote and hybrid work is still being used by a lot of employees across several regions, many employees would want to upgrade to the Windows 11 version to make sure their work is not interrupted.
The threat actors see loopholes amongst the hybrid and remote workers that may be using personal devices for their updates. This is where the attackers want to strike to try and get into the computer systems or devices of the users
Although Microsoft will add more security features as has always been the case, employees are still very vulnerable. Some of them are not very vigilant when trying to upgrade to a Windows 11 system. This has exposed them to more risks of exploitation and attacks.