RedLine malware pretends to be a Windows 11 upgrade installers

RedLine malware
Fake website used for malware distribution (HP)

Security researchers have noticed cases where hackers began to distribute malware to Windows 10 users under the guise of upgrading Windows 11 systems. Microsoft is currently deploying Windows 11 systems widely, so most supported devices should receive a prompt from Microsoft via system update pushes at this time. Criminals also saw an opportunity in this case, and the gang behind the RedLine malware started creating fake upgrades to lure users into downloading.

RedLine malware

Fake website used for malware distribution (HP)

Since it is a system upgrade program, the file size should be relatively large, so the volume of the upgrade program package forged by the criminals is as high as 753MB. Of course, don’t expect the upgrade program to be so big, otherwise, it may take a long time for users to download, and hackers obviously won’t let users spend time waiting. The phishing website windows-upgraded[.]com created by the criminals looks very real, and the actual downloaded upgrade program is only 1.5MB. Decompressing the file results in a folder of 753MB of size, showcasing an impressive compression ratio of 99.8%, achieved thanks to the presence of padding in the executable.

When the user launches the program, the malware connects to the command-and-control server and gets instructions from the server.

This kind of routine is actually very common, and the phishing website has been shut down, but I believe this fake upgrade assistant should be slowly spreading on the Internet. Hackers will induce users to download through other means, such as posting on some social forums, and some may also bundle them through some download sites and install them silently.

For users who want to upgrade the Windows 11 system, they can directly click Update in the system, or download the upgrade assistant from Microsoft’s official website and follow the prompts.

Finally, let’s talk about the RedLine malware. This is an old malware but it is still very harmful, especially when it performs a variety of malicious operations. The main behaviors include stealing browser cookies to log in to user accounts, stealing passwords, stealing credit card information, and even stealing cryptocurrency wallet keys.