Malicious actors routinely use current events to lure victims into downloading their malware.
For example, one such entity registered the windows-upgraded.com domain on January 27, 2022, the day after Microsoft announced the final phase of the Windows 11 upgrade. The actor used this website to infect computers with RedLine Stealer by disguising it as a Windows 11 installer, although the domain is no longer active as of February 11. This malware steals the victim’s information and is widely available for sale in underground forums.
The fake website in this campaign was similar to the legitimate Windows 11 website, except that clicking on the button labeled “Download Now” downloaded a zip file named Windows11InstallationAssistant.zip. This file was hosted on a Discord network rather than one belonging to Microsoft, as a legitimate file would be. This campaign is similar to an earlier RedLine Stealer campaign discovered in December 2021 that used the domain discrodappp.com, which disguised RedLine Stealer as an installer for discordapp, a popular messaging app.
File Size
Windows11InstallationAssistant.zip has a size of 1.5 MB, which expands to 753 MB when you decompress it. The executable Windows11InstallationAssistant.exe accounts for 751 MB of this total, with six dynamic link libraries (DLLs) and an Extensible Markup Language (XML) file accounting for the remaining 2 MB. The compression ratio for this executable is about 99.8 percent, as compared to a compression of 47 percent for typical executables.
The reason for this unusually high compression is that Windows11InstallationAssistant.exe is heavily padded with meaningless 0x30 bytes just before the file signature at the end of the file. The actors who wrote this malware likely included this padding to make it more difficult to analyze with malware tools, which are often unable to process files above a certain size. Analysts must first remove the padding in Windows11InstallationAssistant.exe before running tools against it, thus preventing many virus scanners running from automatically detecting this malware.
Analysis
Once the Windows11InstallationAssistant.exe’s file size has been reduced to its proper size, it’s possible to dynamically analyze it in a sandbox or statically with malware tools. Upon execution, this malware’s first action is to start a PowerShell process that launches a cmd.exe process with a timeout of 21 seconds. Once this process times out, the PowerShell process downloads a file named win11.jpg, although it isn’t a JPEG file.
The file is actually the RedLine Stealer DLL, but with the contents in reverse order. This tactic allows RedLine Stealer to avoid detection by malware tools looking specifically for its signatures. The initial process in Windows11InstallationAssistant.exe places the contents of win11.jpg in the correct order and loads it, replacing the current thread context with RedLine Stealer.
This malware is a typical information stealer that collects data on the host’s current execution environment, including system name, user name and installed software. It also takes website passwords stored by the host’s browser in addition to auto-complete data that often includes credit card numbers and cryptocurrency wallets. RedLine Stealer then exfiltrates this data to a command and control (C2) server controlled by the attackers and awaits further instructions.
Protection
The most effective way of protecting yourself from fake installs like the latest Redline Stealer campaign is to only download them from legitimate sources, typically the software distributor’s own website. This is particularly true of major distributors like Microsoft, which can afford to host their own installation files. A website on a newly registered domain is highly suspicious, especially if it claims to be from a large software vendor.
Warning Triangle flickr photo by dlg_images shared under a Creative Commons (BY) license