HP cybersecurity researchers have discovered a fake Windows 11 installer app online that hides dangerous RedLine Stealer malware. For those who don’t know, RedLine Stealer is a potent malware that is capable of stealing personal information such as passwords, browser info along with banking information including cryptocurrency wallet details, credit card data, and other such information
How the malware gets into your PC
A few months ago, Microsoft launched the Windows 11 operating system. All Windows 10 users are eligible for a free upgrade to the new OS through the system upgrade feature but not everyone has the required hardware specs. The fraudsters have taken advantage of this situation and have set up domains with fake Windows 11 installers that impersonate Microsoft. As mentioned in the report, HP researchers have discovered a windows-upgraded.com domain that looks similar to the official Microsoft page. The report has mentioned that several links have already been taken down but numerous are still probably out there.
Users who end up downloading files from these malicious websites, get a ZIP archive file that is named “Windows11InstallationAssistant.zip”. The report reveals that the zip file is only 1.5 MB and contains six Windows DLLs, an XML file and a portable executable. After decompressing the archive, users get a folder with a total size of 753 MB. The executable Windows11InstallationAssistant.exe was the largest file at 751 MB.
Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible.
The file contains the dangerous RedLine Stealer malware. Apart from your banking details, the malware can also access information such as location, security software username, hardware configuration, and more. The malware can upload and download files, execute commands. It can also communicate with fraudsters to share your personal details via the C2 server. The information gathered from your PC can later be used for fraudulent activities.