Fake Windows 11 Upgrade Installers Add RedLine MalwareCybercriminals Taking Advantage of Final Phase of Windows 11 Upgrade
Cybercriminals are taking advantage of the final phase of the Windows 11 upgrade announced on Jan. 26 by installing RedLine Stealer malware for those who download a fake installer, according to the HP Threat Research team.
A day after the final phase was released, researchers said they noticed a malicious actor had registered the domain "windows-upgraded[.]com," which they then used to spread malware by tricking users into downloading and running a fake installer, according to the researchers.
"The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information-stealing malware family that is widely advertised for sale within underground forums," they say.
Criminals choose topical events, such as the launch of a new technology, a natural disaster or a sporting event to attack, says Javvad Malik, lead security awareness advocate at security firm KnowBe4.
"At these times, we often see an increase in fake domains being registered and various phishing attempts to trick unsuspecting users to give up payment information [and] credentials or to download malware," Malik says.
Initial Attack Vector
The RedLine Stealer is distributed using a duplicate of the legitimate Windows 11 website design, the researchers say. Except, of course, in the case of the fake website, cybercriminals plug in a "Download Now" button, which when downloaded shows a zip archive named Windows11InstallationAssistant.zip, they say.
This suspicious file was hosted on Discord’s content delivery network. It is a 1.5 MB file containing six Windows DLLs, an XML file and a portable executable, according to the researchers.
"This campaign highlights once again how attackers are quick to take advantage of important, relevant and interesting current events to create effective lures. Prominent announcements and events are always interesting topics for threat actors, which can be exploited to spread malware," they say. "Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources."
Researchers say that the threat actors registered the domain "windows-upgraded.com" on Jan. 27 under the name Nicenic International Group Co. Ltd. and the organization Ozil Verfig from Moscow, Russia.
Upon decompressing the zip archive file, researchers found a folder with a total size of 753 MB, in which the executable file named Windows11InstallationAssistant.exe was the largest, at 751 MB.
"Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executable of 47%," the researchers say.
They say that such a high compression ratio can only be achieved if the executable likely contains padding, which is extremely compressible. They spotted this padding in a hex editor, which is a computer program that allows for manipulation of the fundamental binary data.
The larger portion of the file is padded with 0x30 bytes and is irrelevant to run the file, the researchers say. They add that many sandboxes and malware analysis tools are incapable of processing large files and must analyze these suspicious files manually or by shrinking them.
"The large filler area is located at the end of the file just before the file signature. Due to a digest mismatch, the signature verification results in an error ... By truncating the filler area as well as the signature, we obtain a valid portable executable," the researchers say.
They say the attackers may have padded the files to keep them from being scanned by antivirus and other scanning controls, which increases the possibility of the file being executed unhindered and the malware being installed.
Once the file had been shrunk, the researchers were able to analyze it dynamically in a sandbox or with static malware analysis tools. Once the malware is executed, it starts a PowerShell process with an encoded argument, which causes a cmd.exe process to be launched with a timeout of 21 seconds. Once this timeout expires, the initial process downloads a file named win11.jpg from a remote web server.
When researchers ran the file utility against win11.jpg, the tool failed to identify its file type, suggesting that it is encoded or encrypted. But upon opening the file in a text editor, the researchers found that the contents were simply stored in reverse order.
"Once the contents of the file are reversed, we get a dynamic link library (DLL). This DLL is loaded by the initial process, which executes itself again then replaces the current thread context with the downloaded DLL. This is the RedLine Stealer payload, a classic information stealer," the researchers say.
The RedLine stealer payload collects various information about the current execution environment, such as the username, computer name and installed software and hardware information. The malware can also steal stored passwords from web browsers and auto-complete data such as credit card information, as well as cryptocurrency files and wallets.
To exfiltrate stolen information or receive further instruction, the stealer opens a TCP connection to a configured command-and control-server.
Andy Norton, European cyber risk officer at cybersecurity firm Armis, says that from an enterprise perspective, on the surface this would appear to be of little risk. The characteristics of the infection method are well known, he says, and many detection technologies exist to intercept these attempts. The same enterprise, however, may still be at risk because smaller businesses and individual contractors may not have the same level of protection - and they may hold a third-party relationship with the enterprise, which necessitates a set of credentials giving them access to the enterprise network.
"Despite this connection, the guest network and the BYOD VLANS in large organizations - which carry a different set of risks - are often neglected or dismissed by SOC teams," Norton says.
Links to Previous Campaign
According to HP researchers, the tactics, techniques and procedures in this RedLine Stealer campaign are similar to a campaign they analyzed in December 2021.
In that campaign, the malicious actor registered discrodappp[.]com, which the attackers used to serve RedLine Stealer, disguised as an installer for the popular messaging app.
As with this campaign, the malicious actors used fake websites mimicking popular software to trick users into installing their malware, registered the domains using the same domain registrar, used the same DNS servers, and delivered the same family of malware, the researchers say.
In July 2021, researchers from security firm Kaspersky said that the cybercriminals are delivering malware to those downloading a fake demo version of Windows 11 (see: Researchers Describe Windows 11 Preview Scam).
Those who download the fake OS face the risk of a variety of malicious programs being installed, the researchers said.
Kaspersky said it had defeated several hundred infection attempts that used similar Windows 11-related schemes. "A large portion of these threats consists of downloaders, whose task is to download and run other programs ... from relatively harmless adware, which our solutions classify as not-a-virus, to full-fledged Trojans, password stealers, exploits and other nasty stuff," the report notes.
"We don’t recommend running the update on your main computer; prebuilds can be unstable. We also advise you to use a reliable security solution and never disable it, so that cybercriminals cannot gain access to your computer through social engineering or vulnerabilities in the not-ready-for-primetime system," Kaspersky said.