HP detects counterfeit Windows 11 installers for Windows OS upgraders

Cyberattackers are dishing out fake Windows 11 upgrade installers to the users of Windows 10 by manipulating them into downloading and executing 'RedLine Stealer' malware. A blogpost by HP affirmed that many Windows 10 users have unwittingly downloaded these files making them susceptible to their systems getting infected.  

The above threat by RedLine is an information-stealing malware often used by Cyber criminals over the email.

While the site looks like a genuine Microsoft site and if anyone clicked on ‘Download Now’ button, that person will receive a 1.5 MB ZIP archive by the name of “Windows11InstallationAssistant.zip".

Patrick Schläpfer, Malware Analyst at HP, informed, “On 27 January 2022, the day after the final phase of the Windows 11 upgrade was announced, we noticed a malicious actor registered the domain ‘windows-upgraded[.]com’, which they used to spread malware by tricking users into downloading and running a fake installer. The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information stealing malware family that is widely advertised for sale within underground forums.” 

The blogsite by HP also revealed that the tactics, techniques and procedures (TTPs) in this RedLine Stealer campaign are similar to one it analysed in December 2021, wherein the malicious actor registered ‘discrodappp[.]com’, which they used to serve RedLine Stealer disguised as an installer for the popular messaging app. In both campaigns, the threat actor used fake websites mimicking popular software to trick users into installing their malware, registered the domains using the same domain registrar, used the same DNS servers, and delivered the same family of malware, as claimed by the blogsite.