Threat actors have started dispersing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and running RedLine stealer malware. The timing of the attacks overlaps with the moment that Microsoft announced Windows 11’s broad deployment phase, so the attackers were well-prepared for this action and wait for the right moment to maximize their operation’s success. RedLine stealer is presently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.
According to researchers at HP, who have spotted this campaign, the actors used the legitimate “windows-upgraded.com” domain for the malware distribution part of their campaign. The site appears like a genuine Microsoft site and, if the visitor clicked on the ‘Download Now’ button, they received a 1.5 MB ZIP archive named “Windows11InstallationAssistant.zip,” fetched directly from a Discord CDN.
Decompressing the file results in a folder of 753MB of size, showcasing an outstanding compression ratio of 99.8%, achieved thanks to the presence of padding in the executable. The PowerShell process with the encoded argument starts when the victim launches the executable file. Next, a cmd.exe process is launched, it expires within 21 seconds, and a JPG file will be fetched from a remote web server.
This file contains a DLL with content arranged in reverse form, possibly to evade detection and analysis. Ultimately, the initial process loads the DLL and replaces the current thread context within it. That DLL is a RedLine Stealer payload that connects to the command-and-control server via TCP to get instructions on what malicious tasks it has to run next on the newly compromised system.
Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.
Windows 11 is a major upgrade that many Windows 10 users cannot get from authorized distribution channels due to hardware incompatibilities, something that malware operators see as an excellent opportunity for finding new victims.
BleepingComputer reported in January that threat actors are also leveraging Windows’ legitimate update clients to execute malicious code on compromised Windows systems, so the tactics reported by HP are hardly shocking at this point.
Remember, these dangerous sites are promoted via forum and social media posts or instant messages, so don’t trust anything but the official Windows upgrade system alerts.