Since Windows 11 was first announced in June 2021, there have been numerous campaigns to trick people into downloading fake, malicious Windows 11 installers. some time it looks like she’s back and this time she’s probably a lot deadlier.
Indeed, at the time, Windows 11 was not available to the public, but only to insiders, who are generally more savvy and tech-aware. However, Windows 11 has since been released to the masses with rollout acceleration plans also in place, making the situation now much trickier.
The new malware campaign was discovered by the HP Threat Research team when they noticed a new impostor website that looks like Microsoft’s, but actually distributes files containing the thieving malware. RedLine.
The name of this website is “windows-upgraded[.]com” as can be seen in the image below, and for those who are not paying attention, it may appear to be a genuine Microsoft site since the layout and appearance of the site looks just like reality.
When someone clicks the “DOWNLOAD NOW” button, a 1.5MB zip archive called “Windows11InstallationAssistant.zip” is downloaded. However, HP was impressed because that simple 1.5MB file when unzipped led to a 753MB folder, a compression rate of 99.8%.
By reversing the contents of the package, HP discovered that this Windows 11 installer provides a payload of RedLine stealing malware and, as the name suggests, this malware is capable of stealing sensitive information such as passwords. password and other credentials.
You can find more technical details in the official blog linked here.