Updating the PC operating system is a routine operation, which we do without thinking much about it. Cyber criminals are aware of this and for this reason they have studied a new attack that targets Windows 11 users. The malicious campaign starts from a website that imitates Microsoft’s official support, using a technique called typosquatting: it consists of registering domains very similar to legitimate ones to deceive the user and exploit these malicious web pages to spread malware. Let’s see how this deception, made known by the experts of Malwarebytesmakes the cyber trap set by criminals potentially effective.
How the attack works
At the center of the attack is the microsoft-update(.)support domain (which appears to be offline at the time of writing). This page offers the download of what appears to be in all respects a cumulative update for Windows 11, complete with an identification code, which makes the bait particularly credible. This is a central aspect of the strategy adopted by hackers. In fact, the attack begins with something that, at first glance, does not arouse any suspicion. The graphics are refined, the language is consistent with that of the user and a clear invitation appears to download a seemingly innocuous update, if not necessary.
If the user decides to proceed, he downloads a file – WindowsUpdate 1.0.0.msi – with MSI extension, a standard Windows installation package. Precisely because these types of files are generally considered legitimate tools, the operation will not generate immediate suspicion. This helps build trust and reduce the likelihood that the user will abort.
Once the file is opened, an installation procedure starts that is very similar to the ones we are used to on Windows. There are no error signals or strange behaviors that might suggest a problem of some kind, much less the installation of malicious software. It is precisely during this phase that the crucial step occurs: together with the alleged update, a hidden program, designed to remain invisible, is introduced into the system. This program immediately adopts a “camouflage” strategy. It appears as a normal component of the operating system and is configured to start automatically every time we turn on the computer. In this way he manages to remain active over time without attracting attention.
After installation, it goes into action by collecting information from your device. We are talking about sensitive data such as saved passwords, account access and, in some cases, even payment details. Everything happens in the background, without notifications or signals visible to the user. This information is then sent to servers controlled by the attackers. This step is also designed to go unnoticed, because the traffic generated may appear similar to normal system activity.
The reason why this type of attack is difficult to detect lies precisely in its construction: each phase, taken individually, appears legitimate. The initial file does not appear to be dangerous, the installation behaves as expected, and the system continues to function normally. Even some security tools may not detect immediate anomalies.
How to protect yourself from Windows 11 malware
What should you do to defend yourself from the malware in question? To prevent the attack, simply follow these three points.
- Be wary of web pages that imitate Microsoft ones: analyze the URL of the site you are on (or that has been linked to) and, if it does not end in “microsoft.com” it certainly does not belong to Microsoft.
- Check for updates: If you receive an email, text message or some other type of communication inviting you to install an urgent update, do not click on the link in the message. Check for the presence of the update by going to the Settings > Windows Update section.
- Activate automatic updates: this way you won’t even have to worry about following the suggestion contained in the previous point and, as the security experts at Malwarebytesthis will go to «eliminate the need to manually download updates, reducing the risk of installing a fake update».
