Window 11 is a major upgrade many windows 10 users cannot get from the official Microsoft distribution channel due to hardware incompatibilities.
On October 5 2021, Microsoft released Windows 11 to the public, where TPM 2.0 was one of the requirements to make it run. Unfortunately, most systems do not support the TPM 2.0
This has made many windows 10 users who tried upgrading to windows 11 fall victim to this dangerous Redline Stealer malware. The threat actors have started distributing the fake windows 11 upgrade installer to users of Windows 10 tricking them into installing the redline stealer malware.
The redline stealer is the most widely deployed password, browser cookies, credit card and Cryptocurrency info reader. So, it’s very dangerous and has adverse effects on the victim.
How does the Redline Stealer works?
According to the researchers at HP, they spotted the campaign the threat actor used which was a legitimate “windows-upgrade.com” domain.
The website is a clone of the official Microsoft website and on clicking the download button, you will receive a 1.5MB Zipped file name “Windows11InstallationAssistant.zip”
Decompressing the file you have a folder of 753MB, when the victim launches the executable file, a cmd.exe is launched and after 21 seconds, it starts running a DLL Redline stealer payload that connects to the command and control server via TCP
Someone reported having seen the threat actor use a different domain name on Google ads with 301 redirects to the distribution website. However, the distribution website is down but nothing stops the threat actor from getting a new domain to strike the attack again.
Since all these malicious websites are distributed through social media and forums, you need to take precautions and pay attention only to the official windows upgrade alerts.