White Hat Institute

RedLine virus is infected through phony Windows 11 upgrade packages

RedLine Windows 11 fake upgrade
Retrieved from cdn.secnews.gr

Users of Windows 10 have been tricked into downloading and installing RedLine stealer virus by malicious attackers delivering bogus Windows 11 upgrade packages. Cybercriminals were well-prepared for this operation and planned for the appropriate opportunity to maximize their operation’s success, as the attacks coincided with Microsoft’s announcement of Windows 11’s broad rollout phase. Because RedLine stealer is the most extensively used password, browser cookie, credit card, and cryptocurrency wallet information stealer, its infestations can have serious consequences for victims.

The perpetrators used the presumably legal “windows-upgraded.com” website for the malware delivery process of their operation, according to HP researchers who discovered it. The webpage seems to be a legitimate Microsoft page, and visitors who clicked the ‘Download Now’ button downloaded a 1.5 MB ZIP file named “Windows11InstallationAssistant.zip,” which was obtained directly from a Discord CDN.

Retrieved from threatresearch.ext.hp.com

When you decompress the file, you’ll get a folder that’s 753MB in size, with a compression ratio of 99.8% due to the existence of padding in the program. When the user executes the application in the folder, a PowerShell process with an encoded argument is launched.

After that, a cmd.exe process is started with a timeout of 21 seconds, and a.jpg file is retrieved from a remote web server after the timeout expires. This file includes a DLL with its contents reversed, potentially to avoid detection methods. Lastly, the startup process loads the DLL and uses it to replace the existing thread context. That DLL is a RedLine stealer payload that uses TCP to connect to a command-and-control server and receive commands on what destructive operations it should run next on the newly infected system.

Despite the fact that the distribution site is currently unavailable, nothing prevents the perpetrators from registering a new domain and resuming their activity. In fact, it’s extremely likely that this is already taking place in the wild. Because many Windows 10 customers are unable to obtain Windows 11 through official distribution channels due to hardware incompatibilities, malware operators see this as an ideal opportunity to acquire new victims.

Remember that these dangerous websites are promoted through forum and social media posts, as well as instant messages, so only trust the official Windows upgrade system notifications.