HP researchers are reporting Attackers Disguise RedLine Stealer as a Windows 11 Upgrade. Windows 10 users are being duped into downloading a fake Windows 11 installers that are being used to spread the info-stealing RedLine malware. Excerpt:
On 27 January 2022, the day after the final phase of the Windows 11 upgrade was announced, we noticed a malicious actor registered the domain windows-upgraded[.]com, which they used to spread malware by tricking users into downloading and running a fake installer.
The attackers copied the design of the legitimate Windows 11 website, except clicking on the “Download Now” button downloads a suspicious zip archive called Windows11InstallationAssistant.zip. The file was hosted on Discord’s content delivery network.
Windows 11 has been a star for Microsoft’s flagship OS – its demand has even exceeded the expectations of Microsoft’s own team. However, as they say, with great power comes great responsibility. Malware operators, such as RedLine, have taken this opportunity to bait users into downloading “fake” Windows 11 downloaders and then stealing their sensitive information which includes credit card data, cryptocurrency wallets, and passwords. This isn’t the first time RedLine has done something like this – just this past December, they leveraged Discord (which has become the hub of crypto and all things related) to steal user information.
To pose as an authentic source, RedLine has created a website that mimics the original Microsoft’s Windows 11 website – the only caveat is that if you click on the “Download” button, you’ll actually be downloading a suspicious 1.5 MB zip file. Microsoft has issued statements warning users to only download their software from authentic sources.
Although it shouldn’t be that hard to identify an authentic source from a cheap imitation, some of the steps that you can take to protect yourself from malware is to always run your downloads past an anti-virus software. And even before you do that, make sure to download files from the original developer’s website.