Researchers at HP released a new article today warning of a new scam that attackers use to spread the RedLine family of malware. This scam tricks users into downloading a fake Windows 11 upgrade package that secretly installs the malware onto the user’s computer. This is similar to a previous campaign that impersonated a Discord download page to spread the same RedLine malware in December 2021.
Last week, Microsoft announced they were entering their final phase of free upgrades to Windows 11 from Windows 10 devices. This created a perfect opportunity for attackers to launch a new campaign to spread malware disguised as a Windows 11 upgrade module. People would be eager to get the update before the free offer expires. The attackers created a fake Windows 11 upgrade page that looks similar to what Microsoft would legitimately produce.
Using the domain windows-upgraded[.]com, the site includes a link to download a ‘Windows 11 upgrade assistant.’ The file downloaded is called Windows11InstallationAssistant.zip. Once extracted and executed, it installs RedLine Stealer malware using DLL files and various other means. The RedLine Stealer then gathers information from your computer, including stored passwords in web browsers, cryptocurrency wallet information, installed software, and more. It sends this information through a connection to the IP address 45[.]146[.]166[.]38 on port 2715.
This sophisticated attack is perfectly timed with the Microsoft announcement to ensure it is even more effective at spreading the malware. While it can be challenging to recognize fake pages like the one shown above, here are a few tips to keep you safe from spoofing attacks like this.
Tip #1: Always go Directly to the Source
When downloading software or upgrading a device, always go directly to the company rather than a third-party site to ensure that you get a legitimate version of the software rather than one that may have malware installed. While many reputable third-party sites exist, getting the software directly from the source should be your first choice. This also means using update features in applications rather than manually downloading updates.
Tip #2: Verify Your Google Search
If you Google or Bing a piece of software or upgrade, verify what link you click before downloading anything from the website. Search engines like Google often put advertising as the first few results on a search. This can be manipulated to allow an attacker to have their lousy website show up as the top result. For example, when Googling ‘Windows 11 Upgrade’, an attacker could get their website as the first ad result with the tagline ‘Windows 11 Upgrade Here!’
Before you click a link in Google or download anything from a website, verify it is legitimate. Look at the domain and determine if that is normal for the company. For example, windows-upgraded[.]com is not a typical Microsoft URL that usually contains Microsoft[.]com. This also ties back into Tip 1, going directly to the source.
Tip #3: Verify the Files You Download Via Hashing
Many companies provide a hash for their files to verify that they have not been modified. A hash is a calculated value always the same if the file does not change. For example, if I have a file title sparkle-kittens.jpg, the hash might come out as 123abc. If that file is modified in any way, the hash changes. This allows the user to know whether the file is legitimate or not. If a company says their file should be 123abc, and you create a hash for it, that is 456def. You know that your file is not a legitimate file submitted by the company. You can calculate file hashes using built-in tools on Windows or Apple devices.
Tip #4: Reach Out to the Experts for Help
You don’t have to go it alone. When all else fails, you can contact an IT expert to help you find the right software to download. Verifying software or download sites is simple and quick with the right expertise. Your IT provider should help answer any questions about getting the software to ensure it is legitimate.
These tips should help you get the right software without downloading malware. With the right tools and guidance in IT, you’ll be confident in your security. I'm not sure if your security is where it needs to be or if you have more questions on how you and your company can stay safe. Reach out to the security experts at Ascend for a quick consultation on how we can keep your organization from these types of attacks and more.
