Early adopters seeking a premature peek of Windows 11 via unauthorized channels may be in for a nasty surprise — a dose of malware.
Kaspersky Lab on Friday reported that an unofficial installer is in the wild that promises to install the next version of Microsoft’s ubiquitous operating system on a user’s computer — but actually contains a malicious payload.
One example cited by Kaspersky contains an executable file called 86307_windows build 21996.1 x64 + activator.exe. Adding to the file’s credibility is its size: 1.75 gigabytes. However, most of the file is made up a single DLL file stuffed with useless information.
In the Kaspersky Daily blog, Anton V. Ivanov, the company’s vice president of threat research, explained that opening the file starts an installer that looks like an ordinary wizard familiar to any Windows user. The purpose of this installer, though, is to download a second executable file.
That file — download manager for 86307_windows 11 build 21996.1 x64 + activator — offers a simulacrum of authenticity by asking a user to approve a licensing agreement to install some sponsored software on their machine.
“If you accept the agreement, a variety of malicious programs will be installed on your machine,” Ivanov wrote.
“Those other programs can be very wide ranging — from relatively harmless adware, which our solutions classify as not-a-virus, to full-fledged Trojans, password stealers, exploits, and other nasty stuff,” he added.
Offering a user a free installer for Windows 11 is a perfect announcement for a social engineer, maintained Tom Brennan, chairman of Crest USA, a global not-for-profit cybersecurity accreditation and certification body.
“It’s like ‘Did you see what happened at the Olympics last night when so-and-so did such-and-such. People will click on it,” he told bluehillco.
Windows has a history of attackers creating malicious installs of its operating system, noted Leo Pate, a consultant with nVisium, an application security provider in Herndon, Va.
“Hackers do this in order to create backdoors into a user’s machine,” he told bluehillco. “By introducing this backdoor, attackers are able to control all aspects of a Windows user’s environment, resulting in a full loss of privacy.”
Jon Clay, vice president of threat intelligence at Trend Micro, a global cybersecurity company, added that disguising malware as a software installer is a tried-and-true technique for infecting computers.
“With Microsoft coming out with a new version of Windows, this is a big deal,” he told bluehillco. “This news will be used by malicious actors in their attacks moving forward, as many people will want to check it out.”
“This kind of thing has happened for years,” added Andrew Barratt, managing principal for solutions and investigations at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services.
“Back in the old days it was dodgy game; installers or keygens that were used by those making illegal copies of software,” he told bluehillco. “They always ran the risk that their downloads were being wrapped with malware — often trojans or other spyware.”
To some extent, Microsoft may be contributing to the willingness of some enthusiastic users to download Windows 11 from sketchy sources.
“Microsoft has placed safeguards around people attempting to upgrade their machines to the latest platform version,” Pate explained. “If their machines don’t meet certain requirements, Microsoft won’t allow them to upgrade those machines.”
Among those requirements is the use of an Intel 8th generation or AMD Zen 2 processor or better, which has created anxiety about upgrading to Windows 11 among many owners of older machines.
“Because of this, users will look for other places where they can receive this upgrade,” Pate said. “It’s in these places where attackers will willingly provide the software that Microsoft won’t – along with their own backdoors, of course.”
In addition, there are always users looking for ways to save money when it’s time to upgrade. “If they are tricked that there is a cost to upgrade, and they can save money by downloading some software, they’ll download the software,” he noted.
He added that consumers are more likely to be tempted to go outside authorized channels for an upgrade than businesses.
“Corporate America typically will wait six to 12 months before deployment and after testing of all associated applications that run on it and drivers,” he said. “The home user typically wants new and shiny stuff right away so they can be a victim of such a ruse.”
Some users who ought to know better may also be inclined to take shortcuts to obtain Windows 11. “There is a large tech enthusiast community who will want to be getting their hands on this to learn about, critique and find flaws in it — some of whom are probably IT professionals without access to the official beta or test copies,” Barratt observed.
Secure Supply Chain
In recent months, malicious actors have successfully compromised software upgrades to spread their malware throughout a company’s customers in so-called supply-chain attacks. That’s not the case with this installer.
“I don’t believe this is an example of a supply chain attack, as Microsoft would need to have their codebase compromised, which generally results in users downloading malicious platform upgrades through legitimate Windows services,” Pate explained.
“At this time, I haven’t heard of Microsoft’s codebase being weakened or affected by this development,” he added.
Mark Kedgley, CTO of New Net Technologies, a Naples, Florida-based provider of IT security and compliance software, agreed. “I wouldn’t describe this as a supply chain attack because the genuine Microsoft supply chain hasn’t been infiltrated,” he said. “Instead, this is a malware producer exploiting the demand for ‘cracked’ Windows licenses.”
Ironically, upgrading to Windows 11 is supposed to improve the security of machines running the operating system.
“The new added hardware requirements for Windows can provide protections against some specific attack scenarios when correctly configured,” observed Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“Windows as a whole will still encounter the usual exportability risks as attackers find new methods of hacking into the system,” he told bluehillco.
“Microsoft’s operating systems will constantly be targeted with exploits of any new vulnerabilities found within the code. That is a fact,” Clay added.
“Microsoft continues to improve their code and try to minimize bugs, but this is difficult when you look at the amount of code within Windows 10 or 11,” he said.