This Fake Windows 11 Upgrade Has A Malware That Steals Password, And Lots More

Windows 11 hacker

Microsoft Windows 10 was a huge step up from its predecessors. And with Windows 11, Microsoft wants to bring things to a whole new level.

There are more than 1 billion computers that run on some versions of Microsoft Windows. When Windows 11 hit the market, the demand for an upgrade is huge. Cybercriminals know this too, as they are on the move to make use of the trend, by creating a malware that disguises itself as a Windows 11 installer.

The fake upgrade targets people who wish to upgrade to Windows 11, but couldn't due to hardware requirement.

Those people, unable to install Windows 11 because their PCs are below the operating system's minimum requirement, may seek for unofficial copies of the Windows product.

By downloading unofficial installers, those people think they can circumvent the legitimate installation process and experience Windows 11 when in fact, they can fall as prey to some malicious websites offering the malicious upgrade file.

One example, was windows-upgraded[.]com.

According to HP Threat Research team that first found the domain, nothing seems out of the ordinary.

With Microsoft branding and images, the website also has similar web design to the official Microsoft website.

At first glance, the website looks and feels legitimate.

But that website only served one purpose, that that purpose was nefarious.

Unsuspecting visitors would see a 'Download Now' button on the landing page, which promised them a free copy of Windows 11.

Clicking on the button would download Windows11InstallationAssistant.zip file, which would run a dangerous malware called the 'RedLine Stealer' .

This particular malware is popular among hackers who wish to steal credentials, browser cookies, banking information and cryptocurrency wallet data.

The file was hosted on Discord’s CDN.

The website that hosted the malicious Windows 11 upgrade file resembled the legitimate Microsoft website.
The website that hosted the malicious Windows 11 upgrade file resembled the legitimate Microsoft website. (Credit: HP Threat Research)

According to the researchers in a blog post:

"Threat actors are always looking for topical lures to socially engineer victims into infecting systems. We recently analyzed one such lure, namely a fake Windows 11 installer. On 27 January 2022, the day after the final phase of the Windows 11 upgrade was announced, we noticed a malicious actor registered the domain windows-upgraded[.]com, which they used to spread malware by tricking users into downloading and running a fake installer."

"The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information stealing malware family that is widely advertised for sale within underground forums."

[...]

"It collects various information about the current environment, such as the username, computer name, installed software and hardware information. The malware also steals stored passwords from web browsers, auto-complete data such as credit card information, and cryptocurrency files and wallets."

The files stored inside the compressed downloaded file.
The files stored inside the compressed downloaded file. (Credit: HP Threat Research)

Fortunately, the website on the domain in question has been taken down, and users should be safe from it.

But this campaign highlights how hackers are extremely quick in taking advantage of important, relevant and interesting events to create effective lures.

Most if not all prominent announcements and events can be exploited to spread malware.

This is why the windows-upgraded[.]com was not the first, and will certainly not be the last.

To avoid this kind of campaign, people should be careful and try to always avoid third-party websites or app stores.

Published: 
15/02/2022