Clever Malware Masquerades as Windows 11 Installer

Clever Malware Masquerades as Windows 11 Installer

Microsoft announced Windows 11 last year, but deploying the update to existing devices has been a slow process. In fact, Microsoft isn’t even providing the update on PCs that lack certain modern hardware features. Anyone who goes looking for a manual upgrade to Windows 11 might find themselves on the receiving end of a nasty malware attack, according to HP security researchers. A Russian website disguised as an official Microsoft page is distributing an “upgrade installer” that won’t get you Windows 11. What it will get you is a bunch of malware.

The site in question is windows-upgraded[.com], and we strongly suggest you don’t visit it (you probably won’tbe able to as it appears to be decommissioned). While reports suggest you will only encounter misfortune if you download files from this site, you don’t want to take any chances with these online criminals. The site is a dead ringer for Microsoft’s Windows Update site, and even the URL is a pretty good match—the hackers spent big on the .com domain.

Unlike the official website, the upgrade button downloads a ZIP archive hosted on Discord’s servers. This is something of an ongoing problem for the chat app, which has been used to distribute a surprising volume of malware in the past. When downloaded, the archive is just a few megabytes, consisting of an executable and several DLL files. The compressed archive hides the malware’s presence, and something strange happens when the user attempts to extract the files. The file size jumps to 735MB, most of which comes from the .EXE file. HP says the files are padded with 0x30 bytes of data that doesn’t have any bearing on the functionality. It’s just a trick to avoid detection by anti-malware tools, which are often incapable of automatically processing such a large file.

Clever Malware Masquerades as Windows 11 Installer

Absent any alarm bells, users will try to open the “upgrade” launcher, infecting their device with the RedLine Stealer malware. This piece of software is dangerous, but it’s not unique—online criminals can buy a copy of RedLine on hacking forums for $100-150. RedLine scrapes information from browsers, including form fill data, saved passwords, and credit card info. It can even steal any cryptocurrency stored on the device or in connected wallets. The researchers draw parallels between this attack and a December 2021 campaign that used a similar fake page that offered downloads of Discord’s desktop client. Instead, users got this same RedLine malware.

If you’re anxious to get Windows 11, make sure to only use the official Microsoft domain or the Windows settings menu. Downloading a random EXE from the internet continues to be a terrible idea.

Continue reading

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal
Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

Researchers Devise Malware That Runs When an iPhone is Powered Off
Researchers Devise Malware That Runs When an iPhone is Powered Off

The iPhone's low-power mode allows users to access Express cards and locate lost devices even when the phone is turned off—but it also presents a concerning security vulnerability.

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.

SharkBot Malware Reappears in the Google Play Store
SharkBot Malware Reappears in the Google Play Store

Earlier his year, security researchers spotted a malicious software package called SharkBot spreading through the Play Store. It was stamped out, of course, but now it's back with a vengeance.