Executive Report

It is quite natural to get prompts from software manufacturers saying you need to update your installed apps every so often for better security or to fix bugs. But you should know, too, that threat actors often use program update notifications as malware distribution vehicles. Case in point, the fake Windows 11 update currently making the rounds that is actually a data stealer.

The malware in this case steals confidential information from affected users’ web browsers, including stored passwords; other files; and cryptocurrency wallets. We took a closer look at the threat and found:

• Close to 200 possibly connected domains
• Around 300 possibly connected subdomains
• 85% of the possibly connected domains and subdomains were not owned by Microsoft even if they contained the Windows brand name
• Windows 7 users were most at risk as 13% of the suspicious domains contained the string “windows7”
• Almost 200 possibly connected IP addresses, about a tenth of which were dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Look at Possible Connections

Only a couple of web properties have been identified as indicators of compromise (IoCs) for this ongoing campaign, specifically the domain name windows11-upgrade11[.]com and IP address 185[.]215[.]113[.]73.

We believe in expanding IoC lists to enable organizations to secure their networks as best they can against all kinds of threats.

Using the string combination “windows11 + upgrade,” following the domain IoC’s format, a Domains & Subdomains Discovery analysis revealed four possibly connected domains and two subdomains. Widening the scope of our investigation, however, to include all Windows OS versions, we also gathered web properties with the string combination “windows + upgrade.” That search gave us an additional 162 domains and 298 subdomains, bringing the total to 166 possibly connected domains and 300 subdomains. You can see the list in the appendix.

As expected, a huge majority of the web properties, 110 or 85% to be exact, containing the Windows brand name were not Microsoft-owned based on the details on their WHOIS records.

We also looked at the Windows operating systems (OSs) most at risk and found that Windows 10 users may be most at risk, given that the OS posted the highest number of domains, followed by Windows 7 and Windows 8.

Some of the domains also targeted not just the users of Microsoft’s OSs but also commonly used applications, such as Windows Media Player. A majority of them, however, 56% to be exact, were less discriminatory in that they only contained the string “windows,” a means to widen the potential victim base.

To further expand our list of artifacts, we subjected the 466 web properties to DNS lookups, which provided 186 IP addresses to which the domains and subdomains resolved. You can see these IP addresses in the appendix as well.

While none of the domains and subdomains are considered harmful for now, threat actors could easily weaponize them to target Windows OS users with the same ruse they’re using for Windows 11.

Interestingly, however, 17 of the IP address resolutions were dubbed “malicious” by various malware engines according to malware checks via the Threat Intelligence Platform (TIP). These are:

• 15[.]197[.]142[.]173
• 3[.]33[.]152[.]147
• 35[.]186[.]238[.]101
• 99[.]81[.]40[.]78
• 91[.]195[.]240[.]87
• 81[.]17[.]18[.]197
• 34[.]98[.]99[.]30
• 45[.]88[.]202[.]115
• 13[.]248[.]216[.]40
• 54[.]209[.]32[.]212
• 52[.]71[.]57[.]184
• 91[.]250[.]81[.]8
• 103[.]224[.]182[.]210
• 208[.]91[.]197[.]46
• 104[.]16[.]161[.]215
• 192[.]0[.]78[.]13
• 199[.]60[.]103[.]228

Steering clear of these malicious web properties and watching out for similar-looking ones (i.e., the possibly connected domains and subdomains) will afford your organization better security against fake OS updates.

If you wish to perform a similar investigation, please don’t hesitate to contact us on www.threatintelligenceplatform.com, we’re always on the lookout for potential research collaborations.