Regístrese ahora para una mejor cotización personalizada!

This password-stealing malware posed as a Windows 11 download

Feb, 10, 2022 Hi-network.com

Windows 10 users need to be cautious about fake Windows 11 installers that are being used to spread the info-stealing RedLine malware.

RedLine is not especially sophisticated malware but can steal passwords and is sold as an online service for$150 a month to people who want to steal cryptocurrency such as Bitcoin or Ethereum. 

See also

How to upgrade from Windows 10 to Windows 11

We take you through the process step-by-step (and screenshot-by-screenshot).

Read now

Crooks use numerous tricks to get the unwary to download it, and now HP has now found them using fake promises of Windows 11 upgrades as a lure to trick PC users into installing the malware. 

SEE:Cybersecurity: Let's get tactical(ZDNet special report)

Microsoft has set a high bar for hardware that is eligible for the upgrade to Windows 11 and leans towards newer processors. Few devices were initially eligible but Microsoft recently announced it was accelerating the rollout to meet unexpected demand.    

In this case, the hackers tried to use Microsoft's January 26 announcement that it was "entering its final phase of availability and is designated for broad deployment for eligible devices" as an angle, as they registered their own fake domain the day after.

HP security researchers found that RedLine actors registered a fake domain in the hope of tricking Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design of the legitimate Windows 11 website, except clicking on the "Download Now" button downloads a suspicious zip archive. 

"The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information-stealing malware family that is widely advertised for sale within underground forums," Patrick Schl?pfer, a malware analyst for HP's Wolf security team, said. 

The domain name for the bogus Windows 11 upgrade page was registered with a Russian registrar; Microsoft's actual Window 11 upgrade page is hosted on a Microsoft.com domain. The malware aims to steal stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets. 

Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read now

Microsoft has been streamlining its Windows feature upgrades, including making it more like a Patch Tuesday for 'N-minus-1' upgrades, but the criminals in this case far outperformed the real product with a minute compressed malicious installer of just 1.5MB of data, although after decompression, the folder size was 753 MB, a feat impressing HP's malware analyst. 

"Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible," writes Schl?pfer. 

He also noted the use of a junk 0x30 byte "filler area" of the file that served no other apparent purpose than evading detection from antivirus. 

"One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware," he notes. 

The Windows 11 ruse is typical of RedLine's operators, who've made a cheap and nasty malware service for non-techies to use. In December, it was riding off the branding of the hugely popular messaging app Discord. 

HP notes: "Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources."

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Etiquetas calientes: tecnología seguridad

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.