Bad actors hide malware in fake Windows 11 upgrade site
HP Threat Research Blog has warned that malicious actors are taking advantage of the recent release of Windows 11 to distribute malware. These bad actors registered the domain, windows-upgrade[.]com, which takes unsuspecting users to a convincing website that masks itself as a legitimate Windows 11 upgrade site. This domain attempts to spread the RedLine Stealer malware, which steals data from a victim's computer and sells it on underground forums.
When clicking the download button on the phoney Windows 11 upgrade site, a zip file named Windows11InstallationAssistant will download, which is hosted on Discord. This zip file has a size of 1.5 MB and expands to 753 MB when decompressed. The zip achieves a staggering compression ratio of 99.8%, possibly due to highly compressible padding. The bad actors may have included this padding as some antivirus may not scan very large files.
Running Windows11InstallationAssistant.exe launches a PowerShell, which downloads the RedLine Stealer. The malware pilfers the victim’s sensitive information such as passwords, bank information, cryptocurrency wallets and the user’s computer information.
This latest attempt to take advantage of recent trends, such as the release of Windows 11, follows similar previous attempts to spread the RedLine Stealer malware, such as when hackers replicated the Discord download page in December 2021. These bad actors frequently distribute malware via fake download sites. Thus, users should only download from trusted websites.