Fake Windows Installers Used to Distribute Information Stealing Malware
In October 2021, Microsoft launched its latest operating system – Windows 11 – and cybercriminals were quick to take advantage, offering free Windows 11 upgrades as a lure to trick people into installing malware.
Windows 11 has not been a roaring success so far. According to data from the IT asset management solution provider Lansweeper, on April 4, 2022, only 1.44% of corporate and personal devices had Windows 11 installed, which is less than the number that have Windows XP installed, for which support stopped being provided in 2014.
One of the main issues with Windows 11 is the stringent hardware compatibility requirements. One of the requirements for a Windows 11 upgrade is for devices to support Trusted Platform Module (TPM) version 2.0, which means any devices over 4 years old will not be able to have Windows 11 installed unless the hardware is upgraded.
Microsoft offers a tool on its website that will check whether a device has the hardware to support an upgrade to Windows 11, but any user who has not visited the official Microsoft website is unlikely to be unaware of the hardware restrictions, and it is those individuals who are being targeted and tricked into installing malware.
Malware is often distributed via peer-2-peer file-sharing networks and warez sites that offer pirated software, either packaged with the software installers or with the product activators and cracks that are used to generate valid licenses; however, the fake Windows installers are being pushed through search engine poisoning.
Search engine poisoning, also known as SEO poisoning, is the creation of malicious websites and the use of search engine optimization techniques to get the websites to appear high in the organic search engine listings for certain search terms. In this case, search terms related to Windows 11 downloads.
When a user enters a search string into Google, the malicious website appears in the listings. A variety of domains are used in the campaigns that at first glance appear to be legitimate, windows11-ugrade11.com being one example. The landing page on these websites include the Microsoft logo and menus and an attractive Get Windows 11 screen with a Download Now button.
One campaign has been identified that delivers a novel malware variant dubbed Inno Stealer, which is installed by an executable file in the downloaded ISO file. Inno Stealer can steal web browser cookies, passwords stored in browsers, data from the filesystem, and data in cryptocurrency wallets. Other malware variants are also being distributed using similar tactics. Fake windows installers have also been distributed via phishing emails. One campaign delivers Qbot malware via a password-protected ZIP file that contains a malicious MSI installer.
Spam filtering solutions can be used to block malware delivery via phishing emails; however, to block malware downloads from web browsing, a web filter is required. WebTitan is a DNS-based web filter that incorporates advanced DNS filtering controls to block access to malicious websites and prevent malware downloads.
WebTitan is fed threat intelligence from a network of 650 million worldwide users. Newly identified threats are immediately propagated to database deployments worldwide to provide coverage and protection against emerging, zero-hour threats. The solution can also be configured to block attempts by users to download file types often associated with malware, such as ISO and MSI files. WebTitan can handle any volume of usage with no latency, so users will be unaware that content is being filtered until they encounter a threat and are informed by WebTitan that the threat has been blocked.
If you want to improve your defenses against malware and phishing attacks via the Internet, contact TitanHQ today to find out more about WebTitan. Product demonstrations can be arranged on request and the full product is available on a free trial (with full support) to allow you to see for yourself how effective it is at blocking threats and how easy it is to install, set up, and use.