Back in July last year, we saw reports of malware installers being disguised as Windows 11 preview builds. Now, we see a similar report, but now involving a fake version of a full Windows 11 release.
HP security researchers have discovered a fake Windows 11 download site that mimicked the legitimate one. It even came with the “Download Now” button, but clicking on it downloads a suspicious zip file instead. It was registered shortly after Microsoft announced that “The upgrade offer to Windows 11 is entering its final phase of availability”. And the fact that it was relatively new was what caught the researchers’ attention.
Contained inside said suspicious zip file is what’s known as the RedLine Stealer malware. It steals passwords and auto-complete data from web browsers, as well as cryptocurrency files and wallets. While the report describes it as “not especially sophisticated”, a previous ZDNet report claims that it is advertised on Russian crybercrime forums with a monthly subscription price of US$150 (~RM628) a month, or US$800 (~RM3351) for lifetime access.
It also has an interesting way of avoiding your run of the mill antivirus solution. The suspicious zip file that gets downloaded comes in at a file size of 1.5MB. But once decompressed, the total file size came to 753MB, meaning an impressive compression ratio of 99.8%. The malware itself is also intentionally bloated in size to evade antivirus detection.
The report ends by pointing out that because this RedLine malware is so accessible, there have been plenty of vectors. Previously, it spread via a similarly fake Discord download page.
