Windows 11 Update Scam – Fake Installer Injects Redline Malware

Windows 10 is really good, but with Windows 11 available, PC users all over the world are trying to get the upgrade. Emphasis on trying as Microsoft set a high bar for hardware that can upgrade to Windows 11. When the company announced that it’s accelerating the rollout, users were so psyched. Unfortunately, so were cybercriminals.

Windows 11 Malware

A while ago, RATDispenser targeted Windows devices. Now, following Microsoft’s announcement, threat actors are spreading fake Windows 11 installers. When a user opens them, they easily inject their device with info-stealing RedLine malware.

The worst part is that this malware is available to anyone online. This campaign is dangerous and we’re here to shed more light on the matter. Make sure you check the following article for more information.

Windows 11 Scam – Crossing the RedLine

Scams like this have occurred on multiple occasions before. Not to mention that RedLine isn’t a new threat to devices as its attackers made use of it in the past.

As we mentioned, what makes the situation worse is that anyone can get their hands on the malware. For around 150$/month, threat actors can easily purchase the malware and use it to steal cryptocurrencies such as Bitcoin or Ethereum

Once they get the malware, it’s up to them to think of clever ways to get the unwary to download it. In the recent attacks, those cyber crooks are using fake promises of Windows 11 upgrades as a lure to their PC victims.

On January 26th, 2022, Microsoft announced that it’s “entering its final phase of availability and is designated for broad deployment for eligible devices.”

As soon as the threat actors saw this, they registered their own fake domain the day after. According to HP researchers, the attackers mimicked the design of the legitimate Windows 11 website.

Redline Fake Website

However, there’s one slight difference. On the fake page, clicking on the “Download Now” button downloads a suspicious zip archive. Again, this only fools non-tech-savvy individuals as the Windows 11 upgrade page was registered with a Russian registrar.

The real Microsoft Window 11 upgrade page exists on a Microsoft.com domain. In a statement, Patrick Schläpfer, a malware analyst for HP’s Wolf security team explains more about the zip file:

“Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%.

This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible.”

Aside from that, the file makes use of a junk 0x30 byte “filler area,” mainly to avoid detection by any antivirus present on the device.

Back in December, the threat actors were riding off the branding of the hugely popular messaging app Discord. Now, Windows fell victim to their malicious activity.

Windows 11 Scam – An Update You’d Want to Avoid

We’ve said this before, and we’ll always say it again to ensure your safety. Such campaigns rely on you downloading software from sources that threat actors created.

To avoid this, only download your software from trustworthy sources. Head over manually to the official website and get your file.

That way, you won’t fall into such a predicament. Also, install an antivirus program on your device. While this might not eliminate certain threats, it can at least avoid a lot of damage.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

as-seen-on