Windows 10 users need to be cautious about fake Windows 11 installers that are being used to spread the info-stealing RedLine malware.
RedLine is not especially sophisticated malware but can steal passwords and is sold as an online service for $150 a month to people who want to steal cryptocurrency such as Bitcoin or Ethereum.
Crooks use numerous tricks to get the unwary to download it, and now HP has now found them using fake promises of Windows 11 upgrades as a lure to trick PC users into installing the malware.
SEE: Cybersecurity: Let's get tactical (ZDNet special report)
Microsoft has set a high bar for hardware that is eligible for the upgrade to Windows 11 and leans towards newer processors. Few devices were initially eligible but Microsoft recently announced it was accelerating the rollout to meet unexpected demand.
In this case, the hackers tried to use Microsoft's January 26 announcement that it was "entering its final phase of availability and is designated for broad deployment for eligible devices" as an angle, as they registered their own fake domain the day after.
HP security researchers found that RedLine actors registered a fake domain in the hope of tricking Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design of the legitimate Windows 11 website, except clicking on the "Download Now" button downloads a suspicious zip archive.
"The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information-stealing malware family that is widely advertised for sale within underground forums," Patrick Schläpfer, a malware analyst for HP's Wolf security team, said.
The domain name for the bogus Windows 11 upgrade page was registered with a Russian registrar; Microsoft's actual Window 11 upgrade page is hosted on a Microsoft.com domain. The malware aims to steal stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets.
Microsoft has been streamlining its Windows feature upgrades, including making it more like a Patch Tuesday for 'N-minus-1' upgrades, but the criminals in this case far outperformed the real product with a minute compressed malicious installer of just 1.5MB of data, although after decompression, the folder size was 753 MB, a feat impressing HP's malware analyst.
"Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible," writes Schläpfer.
He also noted the use of a junk 0x30 byte "filler area" of the file that served no other apparent purpose than evading detection from antivirus.
"One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware," he notes.
The Windows 11 ruse is typical of RedLine's operators, who've made a cheap and nasty malware service for non-techies to use. In December, it was riding off the branding of the hugely popular messaging app Discord.
HP notes: "Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources."