Users of Windows 10 have been tricked into downloading and executing RedLine stealer malware by threat actors delivering fake Windows 11 update packages.
The attackers were well-prepared for this maneuver and waited for the appropriate opportunity to maximize their operation’s success since the attacks coincided with Microsoft’s announcement of Windows 11’s broad rollout phase. Because RedLine stealer is the most extensively used password, browser cookie, credit card, and cryptocurrency wallet information thief, its infections can have severe repercussions for victims.
According to HP researchers who discovered it, the perpetrators exploited the seemingly legal “windows-upgraded.com” site for the malware distribution phase of their campaign. The site seems to be a legitimate Microsoft site, and visitors who clicked the ‘Download Now’ button received a 1.5 MB ZIP download entitled “Windows11InstallationAssistant.zip,” obtained directly from a Discord CDN.
Decompressing the file leads to a folder of 753MB, displaying an impressive compression ratio of 99.8% due to padding in the executable. A PowerShell process with an encoded parameter starts when the victim runs the program in the folder. Then, a cmd.exe process begins with a timeout of 21 seconds, and a.jpg file is retrieved from a remote web server after the timeout expires. This file includes a DLL with reversed contents, which might be used to avoid discovery and analysis.
Finally, the starting process loads the DLL and substitutes it for the current thread context. That DLL is a RedLine stealer payload that uses TCP to connect to a command-and-control server and receive instructions on what destructive operations it should execute next on the newly infected machine. Even though the distribution site is unavailable, nothing prevents the actors from registering a new domain and resuming their campaign. Likely, this is currently taking place in the wild.
Because many Windows 10 customers cannot obtain Windows 11 through official distribution channels due to hardware incompatibilities, malware operators see this as a reasonable chance to acquire new victims. Remember that these harmful websites are promoted through the forum and social media posts as well as instant messaging, so only believe the official Windows update system alerts.