Windows 10 users should beware of fake Windows 11 installers that are used to spread information-stealing RedLine malware.
RedLine is not particularly sophisticated malware but can steal passwords and is sold as an online service for $150 per month to people who want to steal cryptocurrencies like Bitcoin or Ethereum.
Scammers use many tricks to trick the unwary into downloading it, and now HP has found them using fake promises of Windows 11 upgrades as a lure to trick PC users into installing the malware.
Microsoft has set the bar high for Windows 11 upgrade-eligible hardware and is leaning toward newer processors. Few devices were initially eligible, but Microsoft recently announced it was accelerating the rollout to meet unexpected demand.
In this case, hackers tried to use Microsoft’s January 26 announcement that it was “entering its final phase of availability and intended for broad rollout to eligible devices” from one angle, as they registered their own fake domain the next day.
HP security researchers discovered that RedLine actors were registering a fake domain in hopes of tricking Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design from the legitimate Windows 11 website, except that clicking the “Download Now” button downloads a suspicious zip archive.
“The domain caught our attention because it was newly registered, imitated a legitimate brand, and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, a family of stealth malware. information that is widely advertised for sale in underground forums,” Patrick Schläpfer, malware analyst for HP’s Wolf security team, said.
The fake Windows 11 upgrade page domain name was registered with a Russian registrar; Microsoft real windows 11 upgrade page is hosted on a Microsoft.com domain. The malware aims to steal passwords stored in web browsers, auto-complete data such as credit card information, and cryptocurrency files and wallets.
Microsoft has streamlined its Windows feature upgrades, including making it look more like a Patch Tuesday for “N-minus-1” upgrades, but the criminals in this case have far surpassed the actual product with a program of A minute’s malicious installation compressed just 1.5MB of data, although after unzipping the folder size was 753MB, a feat that HP’s malware analyst was impressively impressed with.
“Since the compressed size of the zip file was only 1.5MB, that means it has an impressive compression ratio of 99.8%. That’s much larger than average. zip compression ratio for executables by 47%. To achieve such a high compression ratio, the executable probably contains extremely compressible padding,” Schläpfer writes.
He also noted the use of an unwanted 0x30 byte “padding area” of the file which had no apparent purpose other than to evade antivirus detection.
“One of the reasons why attackers were able to insert such a padding area, making the file very large, is that files of this size may not be scanned by antivirus and other scanning controls, increasing thus the chances that the file can run unhindered and install the malware,” he notes.
Windows 11’s trickery is typical of the RedLine operators, who created a cheap and nasty malware service for non-techies. In December, it was the branding of the hugely popular messaging app Discord.
HP notes, “Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trusted sources.”