If you are using Windows 10, beware of fake Windows 11 installers used to spread RedLine malware – malware that steals data from its victims.
RedLine is not particularly sophisticated malware, but it can steal passwords. It is sold as an online service for $150 per month to those who want to steal cryptocurrencies, including Bitcoin or Ethereum.
Cybercriminals use many tricks to trick the unwary into downloading this malware, and HP has discovered that some use fake Windows 11 upgrade ads to trick PC users into installing it.
Fake domain
Microsoft has set the bar high for eligible hardware to upgrade to Windows 11. Few devices were initially eligible. But Microsoft recently announced it was accelerating the rollout to meet unexpected demand.
And it was in this context that cybercriminals tried to use Microsoft’s January 26 announcement that Windows 11 was entering its final phase of availability and was about to roll out widely to eligible devices. .
HP security researchers discovered that the creator of RedLine registered a fake domain hoping to trick Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design from the legit Windows 11 website, except that when you click the “Download Now” button, you download a suspicious zip archive.
“The domain caught our attention because it was newly registered, impersonated a legitimate brand, and leveraged a recent listing. The hacker used this domain to distribute RedLine Stealer, information-stealing malware widely advertised for sale on underground forums,” says Patrick Schläpfer, malware analyst for HP’s Wolf security team.
“Impressive compression ratio of 99.8%”
The domain name of the fake Windows 11 upgrade page has been registered with a Russian registrar; the actual Windows 11 upgrade page is hosted on a “microsoft.com” domain. The malware steals passwords stored in web browsers, autofill data such as credit card information, and cryptocurrency wallets.
Microsoft has streamlined its Windows feature updates, including moving them closer to Patch Tuesday for “N-minus-1” updates. But in this case, the criminals have greatly exceeded the reality of the product with a compressed malicious installer that contains only 1.5 MB of data, although after unzipping the file size is 753 MB. An exploit that impressed HP’s malware analyst.
“As the compressed size of the zip file is only 1.5MB, that means it has an impressive compression rate of 99.8%. This is much more than the average zip compression ratio for executables, which is 47%. To achieve such a high compression ratio, the executable probably contains extremely compressible content,” writes Patrick Schläpfer.
Windows 11 after Discord
The analyst also notes the use of a 0x30 byte “padding area” in the file, which serves no purpose other than to evade antivirus detection. “One of the reasons why attackers were able to insert such a padding area, making the file very large, is that files of this size may not be scanned by antivirus, thus increasing the chances that the file could be compromised. ‘run unhindered and install the malware,’ he adds.
This trick on Windows 11 is typical of RedLine operators, who created a cheap malware service aimed at non-techies. In December, they took advantage of the branding of the hugely popular messaging app Discord.
“Since these campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trusted sources.” , specifies HP.
Source: ZDNet.com