Taking advantage of the growing popularity of Windows 11 and the recently announced broad rollout phase announced by Microsoft, it seems that some users have started distributing Fake Windows 11 update installers with RedLine malware hidden in them.
According to the HP researchers who detected this campaign, it is a malware aimed at capturing users’ private and sensitive information such as passwords, browser cookies, credit cards, and most used cryptocurrency wallets, so their infections can have dire consequences for victims.
Thus, cyber criminals used the apparently legitimate domain “windows-upgraded.com” for the distribution part, copying the genuine style of the Microsoft website, with the addition that if the visitor clicked on the “Download Now” button, he received a 1.5 MB ZIP file called “Windows11InstallationAssistant.zip”sourced directly from a Discord CDN.
When the victim launches the executable in the folder, it starts a PowerShell process with an encoded argument. Then it starts a cmd.exe process with a timeout of 21 seconds, and once it expires, a .jpg file is fetched from a remote web server. This file contains a DLL with content organized in reverse, possibly to evade detection and analysis. Finally, the initial process loads the DLL and replaces the current thread context with itperforming a payload of the RedLine malware, which connects to the command and control server via TCP waiting for instructions.
Although the site originally used to distribute this malware has now been removed, experts warn that nothing prevents criminals from setting up a new domain and restarting their campaign, or even having more than one page dedicated to it. data theft action.
Unfortunately, this is not the only current threat. As shared from BleepingComputer, cybercriminals are also taking advantage of legitimate Windows 11 update clients to execute malicious code on some previously compromised user systems.
For our part, we urge you to pay attention whenever you have to download a file, and to follow our recommendations to stay safe online.
