Fake Windows 11 installers download RedLine malware onto computers

Cybercriminals have begun using fake Windows 11 installers to lure users that want to upgrade the previous version of the operating system, Windows 10.

RedLine currently holds the lead among information-stealing malware. It is interested in passwords, cookies, bank card data and cryptocurrency wallets. For example, as of October 2021, RedLine was the main supplier of stolen information to the dark web forums.

As researchers from HP found out, the attackers use the seemingly legitimate domain “windows-upgraded.com” in the campaign. The web resource itself looks like the official Microsoft website, which contains the “Download Now” button.

If the user clicks on the “Download Now” button, a 1.5MB ZIP file named “Windows11InstallationAssistant.zip” will be downloaded to the computer. When opened, the archive creates a 753 MB directory, which demonstrates an impressive compression ratio of 99.8%. As soon as the user launches the executable file from this folder, a PowerShell process with an encrypted argument is automatically activated.

Next, cmd.exe starts and reads some .jpg file stored on a remote server. This file contains a DLL with content in reverse order. Experts believe that attackers use this technique to avoid detection and analysis.

In the final phase of infection, a DLL file is loaded, which is RedLine itself. The malware connects to the C&C via TCP and receives instructions.

Experts advise being extremely careful when downloading Windows 11 images or the corresponding upgrade. It’s always best to trust the official update procedure. And, for example, read our instruction: How to install Windows 11?

Let me remind you that we also wrote that Windows 11 update fixes performance issue for AMD processors.