Cybersecurity researchers from HP identified a fake Windows 11 installer app online that contains a hidden RedLine Stealer malware. For those unfamiliar, RedLine Stealer is a powerful malware capable of capturing personal information such as passwords and browser information, as well as banking information such as cryptocurrency wallet details, credit card data, and other similar data.
About the Fake Windows 11 Online Scam
Microsoft released the Windows 11 operating system a few months ago. Through the system upgrade feature, all Windows 10 users are eligible for a free upgrade to the new OS, but not everyone has the requisite hardware specs. Fraudsters have taken advantage of this situation and set up fake Windows 11 installer domains that imitate Microsoft. HP researchers uncovered a windows-upgraded.com domain that looks identical to the official Microsoft page, according to the report. Even though several links have been taken down, some of them are still probably out there.
Users who download from these malicious websites will find the “Windows11InstallationAssistant.zip” ZIP archive file. According to the report, the zip file is around 1.5 MB in size and comprises six Windows DLLs, an XML file, and a portable executable. Users will find a folder with a total size of 753 MB after decompressing the archive. With a size of 751 MB, the executable Windows11InstallationAssistant.exe was the largest file.
Since the compressed size of the zip file was only 1.5 MB, it has a remarkable compression ratio of 99.8 percent. This is far higher than the typical zip compression ratio of 47 percent for executables. In order to achieve such a high compression ratio, the executable most likely contains padding that is exceptionally compressible.
The malware RedLine Stealer is hidden in the file. In addition to your banking details, the malware can access information such as your location, security software username, hardware configuration, and more. The malware has the capability to upload and download files as well as execute commands. It can also use the C2 server to communicate with fraudsters in order to exchange your personal information. The information obtained from your computer can later be used for fraudulent activities.