A fake Microsoft website claiming to offer the official version of the newly released Windows 11 operating system was caught delivering malware, according to researchers.
HP’s Threat Research team has disclosed a new scam in which attackers copied the design of the authentic Windows 11 website to distribute RedLine Stealer. The fake website was identified on 27 January 2022, just a day after Windows 11’s final phase upgrade was announced.
According to HP’s research department, the fake website is incredibly convincing. As per their research, a threat actor registered windows-upgradedcom domain and used it to spread malware by luring visitors into downloading/installing a fake installer.
Although the website offered Windows 11 upgrades from Microsoft the difference between the legitimate and scam versions is that in the rogue site, when a user clicks on the Download Now button, instead of downloading the authentic software, it downloads a dubious 1.5MB ZIP archive titled Windows11InstallationAssistant.zip.
The HP security team decompressed the archive and discovered a 753 MB folder containing the executable Windows11InstallationAssistant.exe sized 751 MB. In a blog post, Patrick Schläpfer of HP explained,
“Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible.”
The archive was hosted on the content delivery network of Discord. This domain caught the team’s attention since it was freshly registered and copied a trusted brand’s name.
Further probe revealed that the malicious actor used the domain to distribute RedLine information-stealing malware, which is quite popular among users of underground hacking forums.
The ZIP file downloads a DLL that has been disguised as a JPEG file, and the result is the installation of the RedLine Stealer malware suite that can quickly swipe usernames, passwords, cryptocurrency data, credit card numbers, and similar sensitive information.
At the time of writing, the fake website was offline.
If you are a Windows user planning to upgrade to Windows 11 there is a lesson to learn that this campaign highlights how attackers can be quick to take advantage of important, relevant, and interesting current events to create effective lures.
Moreover, prominent announcements and events are always interesting topics for threat actors, which can be exploited to spread malware. Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources.
Nevertheless, refrain from downloading applications and software from third-party websites. In case you have downloaded something from a third-party store make sure to upload it on VirusTotal for a quick yet in-depth scan from 73 anti-malware solutions.
Your email address will not be published.
Super secure VPN
Minimal data logging
Visit IPVanish ‣
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.