Windows upgrade

(source – Shutterstock)

Fake Windows upgrade website delivering information stealer malware

Cybercriminals are a menace to society and organizations as they continue to find new ways to infiltrate their victims. Over the last two years since the COVID-19 pandemic began, cybercriminals have pounced on vulnerabilities, especially on those working remotely to launch their attacks.

Some cybercriminals have been targeting victims through various phishing websites. This includes offering promotional items and such and stealing victims’ funds and credentials upon receiving the relevant information.

Now, CloudSEK researchers have uncovered a multi-stage information stealer malware targeting Windows users and stealing their data from browsers, crypto wallets, and such. The malware is a part of a campaign using fake domains for hosting the payload which is deployed to the victim’s machine via an iso file masquerading as a Windows 11 upgrade.

Windows 11 is the latest major Microsoft Windows operating system that was officially made available in October 2021. Even during its beta period, cybercriminals were already targeted victims by offering Windows 11 upgrades. Last year, a Windows 11-themed malware campaign was also discovered by another cybersecurity firm.

Also, this is not the first time a malware had posed as a Windows upgrade and targeted victims. Previously, Microsoft has issued a security advisory on cybercriminals reaching out to the victims via emails that claim to have a Windows 10 upgrade. The attachment in the emails contains ransomware and other malware which are activated once a victim opens the attachment.

The latest stealer malware discovered by CloudSEK researchers has since been disassembled. CloudSEK dissembled the malware and reverse-engineered the entire infection process for a better understanding of its installation and payload injection. The malware is built using the Delphi programming language and the binary used in it is coded in Visual Basic before being converted into executables. The attacker has used the Inno Setup 6.1.0 as an installer for this loader. An open-source Batch obfuscator is employed to obscure the malware code.

The malicious domain spreading the malware. (Source – CloudSEK)

CloudSEK researchers, while scanning through the internet for real-time cyber threats, XVigil discovered a fake domain allegedly hosting Windows 11 update. Upon further analysis, CloudSEK researchers discovered that the domain was being used to deploy a stealer malware on the users’ machine.

The key findings showed the threat actors using SEO poisoning to lure users to a fake Windows 11 upgrade site. The site directs users to download a malicious file that masquerades as the Windows 11 upgrade. This launches a multi-stage malware on the target system. The crypto stealer malware then steals the users’ data. This includes all major browsers on their system, including crypto-wallet contents and other data.

“The stolen data is encrypted and delivered to a C2 server hosted by the attacker (most probably the creator of the malware). Our researchers were able to capture the network communications between the compromised system and the C2 server,” said CloudSEK researchers.

With hybrid and remote work still being practiced in some countries and with employees returning to the office to work as well, many employees would be looking to upgrade their Windows to ensure minimal disruption at work and also keep updated with the latest updates. While organizations can oversee the upgrades in the office, remote and hybrid workers using personal devices for work may not be as secure as they are supposed to.

According to David Weston, Vice President, Enterprise and OS Security at Microsoft, in 2021, protections built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 have blocked more than 9.6 billion malware threats, more than 35.7 billion phishing and other malicious emails, and 25.6 billion attempts to hijack enterprise customers by brute-forcing stolen passwords. This is more than 800 password attacks per second.

“In a future release of Windows 11, you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software. Microsoft has made groundbreaking investments to help secure our Windows customers with hardware security innovations like Secured-core PCs,” commented Weston.

While Microsoft may be adding more security features, the reality is employees are still vulnerable to cyberattacks like the one exposed by CloudSEK. Users need to be more vigilant when looking to upgrade their software and operating systems while businesses need to also ensure their employees, especially their remote and hybrid working ones are well secured when working and upgrading their software and devices.