Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.
The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success.
RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.
According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate “windows-upgraded.com” domain for the malware distribution part of their campaign.
The site appears like a genuine Microsoft site and, if the visitor clicked on the ‘Download Now’ button, they received a 1.5 MB ZIP archive named “Windows11InstallationAssistant.zip,” fetched directly from a Discord CDN.
Fake website used for malware distribution (HP)
Decompressing the file results in a folder of 753MB of size, showcasing an impressive compression ratio of 99.8%, achieved thanks to the presence of padding in the executable.
When the victim launches the executable in the folder, a PowerShell process with an encoded argument starts.
Next, a cmd.exe process is launched with a timeout of 21 seconds, and after that expire