Taking advantage of the growing popularity of Windows 11 and the recently announced broad rollout phase announced by Microsoft, it appears that some users have started distributing fake Windows 11 update installers with hidden RedLine malware in them.
According to the HP researchers who detected this campaign, it is malware aimed at capturing users’ private and sensitive information such as passwords, browser cookies, credit cards and wallets. most widely used cryptocurrency, so its infections can have dire consequences for victims.
Thus, the cybercriminals used the apparently legitimate domain “windows-upgraded.com” for the distribution part, copying the genuine style of the Microsoft website, with the addition that if If the visitor clicked the “Download Now” button, they received a 1.5 MB ZIP file called “Windows11InstallationAssistant.zip”, obtained directly from a Discord CDN.
When the victim launches the executable in the folder, a PowerShell process is started with a hardcoded argument. A cmd.exe process is then started with a timeout of 21 seconds, and once it times out, a .jpg file is fetched from a remote web server. This file contains a DLL with content organized in reverse, possibly to evade detection and analysis. Finally, the initial process loads the DLL and replaces the current thread context with it, performing a load of the RedLine malware, which connects to the command and control server via TCP waiting for instructions.
Although the site originally used to distribute this malware has now been removed, experts warn that nothing prevents criminals from setting up a new domain and restarting their campaign, or even having more than one page dedicated to this action of data theft.
Unfortunately, this is not the only current threat. As BleepingComputer shared, cybercriminals are also taking advantage of legitimate Windows 11 update clients to execute malicious code on some user systems. previously engaged.
For our part, we urge you to pay attention whenever you have to download a file, and to follow our recommendations to stay safe online.
You might be interested in 2018-11 update for windows 10 version 1803 for x64-based systems (kb4023057) – error 0x80070643