Cyber attackers have begun disseminating bogus Windows 11 update software to Windows 10 customers, deceiving users into downloading and installing the RedLine stealer malware.
Since RedLine malware is the most extensively used password, browser cookie, credit card, and cryptocurrency wallet information thief, its assaults can have disastrous implications for victims.
The perpetrators used the supposedly legal “windows-upgraded.com” site as the malware delivery process for their operation, according to HP researchers who discovered it.
The webpage seems to be a legitimate Microsoft site, whereby users who clicked the “Download Now” link obtained a 1.5 MB ZIP download named “Windows11InstallationAssistant.zip,” which was obtained directly from a Discord CDN.
How it works
When you decompress the file, you”ll get a folder that”s 753MB in size, with a compression ratio of 99.8% due to the existence of buffering in the executable.
As the victim runs the application downloaded in their folder, a PowerShell process with an encoded parameter commences. Hence, a cmd.exe process is initiated with a 21 second timeout, that results in a jpg file being retrieved from the remote server.
The file includes a DLL with inverted information, which could be used to avoid discovery and examination.
Moreover, this initiation phase installs the DLL and substitutes it for the existing thread context. This DLL is a RedLine malware payload that uses TCP to communicate to a command-and-control server and receive instructions on what destructive operations it should perform next on the newly infected machine.
To circumvent this type of malware, users are advised to follow the steps below:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.