A fake update to Windows 11 could infect your PC, here's how to protect yourself
A fake update to Windows 11 could infect your PC
Many people who own Windows 10 have decided to wait a few months before proceeding with the upgrade to the new version of Microsoft's operating system, Windows 11. Taking advantage of the renewed interest in this upgrade, a group of attackers decided to have unsuspecting users download and install on their system the RedLine malware, malicious software responsible for the theft of passwords, browser cookies, credit card data and cryptocurrency wallets.Photo Credit: HP According to what reported by colleagues at Bleeping Computer, and discovered by HP researchers, the hackers have launched the campaign through the domain "windows-upgraded.com", which for a first glance might appear reliable as it replicates the official Microsoft website, inviting the potential victim to click on the "Download Now" button to download the "Windows111InstallationAssistant.zip" file from a CND Discord.
Once extracted the compressed folder, of generous size of 753MB, and launched the executable, a PowerShell process will start with an encoded argument and, subsequently, a process o cmd.exe with a timeout of 21 seconds at the end of which a .jpg image file is recovered from a remote server, which is nothing more than a DLL with contents arranged backwards, probably to avoid the detection of any antivirus. This last file is nothing more than a RedLine payload that connects to a server via TCP to receive commands to be executed on the now infected system.
if (jQuery ("# crm_srl-th_hardware_d_mh2_1"). is (": visible")) {console.log ("Edinet ADV adding zone: tag crm_srl-th_hardware_d_mh2_1 slot id: th_hardware_d_mh2"); } Photo Credit: HP Although the original site is now inaccessible, we advise you to be especially careful when you find links on the forums or groups in general related to the upgrade to Windows 11. Attackers were just waiting for a period of mass upgrade like this to take advantage of the lack of experience of some users in order to direct them to sites built specifically to download and install malicious software. Before carrying out operations of this type, make sure you are on the official Microsoft website.
This password-stealing malware posed as a Windows 11 download
Windows 10 users need to be cautious about fake Windows 11 installers that are being used to spread the info-stealing RedLine malware.
RedLine is not especially sophisticated malware but can steal passwords and is sold as an online service for $150 a month to people who want to steal cryptocurrency like Bitcoin or Ethereum.
Crooks use numerous tricks to get the unwary to download it, and now HP has now found them using fake promises of Windows 11 upgrades as a lure to trick PC users into install the malware.
Microsoft has set a high bar for hardware that is eligible for the upgrade to Windows 11 and leans towards newer processors. Few devices were initially eligible but Microsoft recently announced it was accelerating the roll out to meet unexpected demand.
In this case, the hackers tried to used Microsoft's January 26 announcement that it was 'entering its final phase of availability and is designated for broad deployment for eligible devices' as an angle, as they registered their own fake domain the day after.
HP security researchers found that RedLine actors registered a fake domain in the hope of tricking Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design of the legitimate Windows 11 website, except clicking on the 'Download Now' button downloads a suspicious zip archive.
'The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information stealing malware family that is widely advertised for sale within underground forums,' Patrick Schläpfer, a malware analyst for HP's Wolf security team said.
The domain name for the bogus Windows 11 upgrade page was registered with a Russian registrar; Microsoft's actual Window 11 upgrade page is hosted on a Microsoft.com domain. The malware aims to steal stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets.
Microsoft has been streamlining its Windows feature upgrades, including making it more like a Patch Tuesday for 'N-minus-1' upgrades, but the criminals in this case far outperformed reality product with a minute compressed malicious installer of just 1.5MB of data, although after decompression, the folder size was 753 MB, a feat impressing HP's malware analyst.
'Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible,' writes Schläpfer.
He also noted the use of a junk 0x30 byte 'filler area' of the file that served no other apparent purpose than evading detection from antivirus.
'One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware,' he notes.
The Windows 11 ruse is typical of RedLine's operators, who've made a cheap and nasty malware service for non-techies to use. In December, it was riding off the branding of the hugely popular messaging app Discord.
HP notes: 'Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources.'