Cyber-threat actors are always looking for ways to scam citizens around the world and one way they do this is to lure socially engineer victims into infecting systems by downloading software from fake websites.
If your system is too old to run Windows 11, it’s best to get a new PC. Trying to circumvent the installation process and looking for unofficial installers could lead you to spoofed websites.
And that’s exactly what happened when HP’s Threat Research team found a domain that, at first glance, seems to be a legitimate Microsoft website. But the windows-upgraded.com domain hides a dangerous secret.
HP Threat Research Team stated, “On 27 January 2022, the day after the final phase of the Windows 11 upgrade was announced, we noticed a malicious actor registered the domain windows-upgraded[.]com, which they used to spread malware by tricking users into downloading and running a fake installer.”
“The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute “RedLine Stealer”, information stealing malware family that is widely advertised for sale within underground forums.”
Domain Name: windows-upgraded.com
Creation Date: 2022-01-27T10:06:46Z
Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
Registrant Organization: Ozil Verfig
Registrant State/Province: Moscow
Registrant Country: Russia
The attackers copied the design of the legitimate Windows 11 website, except clicking on the “Download Now” button downloads a suspicious zip archive called Windows11InstallationAssistant.zip. The file was hosted on Discord’s content delivery network.
“It collects various information about the current environment, such as the username, computer name, installed software and hardware information. The malware also steals stored passwords from web browsers, auto-complete data such as credit card information, and cryptocurrency files and wallets,” HP’s Threat Research stated.
The tactics, techniques and procedures (TTPs) in this RedLine Stealer campaign are similar to a campaign we analyzed in December 2021.
In that campaign, the malicious actor registered discrodappp[.]com, which they used to serve RedLine Stealer disguised as an installer for the popular messaging app.
In both campaigns, the threat actor used fake websites mimicking popular software to trick users into installing their malware, registered the domains using the same domain registrar, used the same DNS servers, and delivered the same family of malware.
Thankfully the spoofed site has been taken down. However, use exercise extreme caution going forward.
- 3000 Paratroopers Move to Poland: White House Says Invasion Imminent
- Cancel culture has reached the IDF radio station
- Radical Far-Left Anarchist Attacks Freedom Convoy Protest, Gets Charged As Hit-And-Run Rather Than Hate Crime (Video)
- New Emails Corroborate Biden-China Love Affair
- Rasmussen poll: Voter majority support ousting soft-on-criminal prosecutors
Turn your back on Big Tech oligarchs and join the New Resistance NOW! Facebook, Google, and other members of the Silicon Valley Axis of Evil are now doing everything they can to deliberately silence conservative content online, so please be sure to check out our MeWe page here, check us out at ProAmerica Only and follow us at Parler, Social Cross and Gab. You can also follow us on Twitter at @co_firing_line, and at the new social media site set up by members of Team Trump, GETTR.