Ever since Windows 11 was first announced back in June of 2021, there have been many campaigns aimed at duping people into downloading fake malicious Windows 11 installers. While that activity seemed to die down for a while, it looks like it is back again and this time, it is probably much deadlier.
That's because Windows 11 back then was not available to the public but only to Insiders, who are generally more tech-savvy and aware. However, Windows 11 has since been available to the masses with plans of rollout acceleration also in place, making the situation now far more delicate.
The new malware campaign was discovered by the HP Threat Research Team as they noticed a new impostor website that looks like Microsoft's, but in reality, distributes files containing the RedLine stealer malware.
The name of this website is "windows-upgraded[.]com" as can be seen in the image below, and to those not paying attention, it could seem like a genuine Microsoft site since the site's layout and appearance do look quite like the real thing.
When someone clicks on the "DOWNLOAD NOW" button, a 1.5MB zip archive called "Windows11InstallationAssistant.zip" is downloaded. However, HP was impressed as this mere 1.5MB file upon decompression led to a 753MB folder, a compression ratio of 99.8%.
Upon reversing the contents of the package, HP found that this Windows 11 installer delivers a RedLine stealer malware payload, and as the name suggests, this malware is able to steal sensitive information like passwords and other credentials.
You can find more technical details in the official blog post linked here.
5 Comments - Add comment