Since Windows 11 was first announced last June, there has been a lot of fraudulent activity to get users to download fake malicious Windows 11 installers. While this fraud had subsided for a while, it has now re-emerged, and its lethality has escalated.
This is because Windows 11 was not open to the public at the time, but only to Insiders, who were generally more tech-savvy and more conscious. However, Windows 11 has since been made available to the masses, with plans for an accelerated rollout, making the situation more nuanced now.
The new malware campaign was discovered by the HP Threat Research Team after they noticed a new fake website that looked like Microsoft’s but was actually distributing files containing RedLine stealing malware.
The name of the site is “windows-upgraded[.com]”, and as you can see from the image below to those who aren’t paying attention, it may look like a real Microsoft site because of the layout and It does look like the real thing.
When someone clicks the “Download Now” button, the user downloads a 1.5MB compressed package called “Windows11InstallationAssistant.zip” to be downloaded. However, what impressed HP was that the decompression of this mere 1.5MB file resulted in a 753MB folder with a 99.8% compression ratio.
After reversing the contents of the package, HP discovered that the Windows 11 installer delivered a payload of RedLine stealer malware, which, as the name suggests, is capable of stealing sensitive information such as passwords and other credentials.