Windows 10 users who want to install Windows 11 should be careful. The reason is that there is a fake Windows 11 installer which turns out to contain password stealing malware.
The malware in question is RedLine. Although not so sophisticated, this malware can steal passwords from browsers, retrieve auto-complete data such as credit card information, and break into data and crypto money wallets such as bitcoin and ethereum.
Microsoft has set a high minimum specification standard for devices eligible for a Windows 11 upgrade. This is what bad actors use to carry out their attacks.
Not only that, in this case hackers also took advantage of Microsoft's announcement about the final availability phase of Windows 11 starting January 26, 2022.
According to HP's report in the Threat Research Blog, the malicious actor behind this fake Windows 11 uses a website with the domain 'windows-upgraded[.]com'. This domain was registered on January 27, 2022, the day after the date Microsoft announced.
The website was made to look like the official Microsoft website. But if users are not careful, when they click the 'Download Now' button they actually download the zip file that was downloaded from the Discord CDN.
The file named 'Windows11InstallationAssistant.zip' is only 1.5 MB in size. But once decompressed, the original folder size turned out to be 753 MB. This extreme compression capability impressed HP malware analysts.
"Since the size of the compressed zip file is only 1.5MB, this means the file has an impressive 99.8% compression ratio," said malware analyst from the HP security team, Patrick Schläpfer, as quoted by ZDNet, Sunday (13/2/2022). .
"This is much greater than the average zip compression ratio of an executable of 47%. To achieve a high compression ratio, the executable may contain padding which is very easy to compress."
Even though the Windows 11 website that was used to distribute malware is now down, hackers can still create new domains and start their attack campaign again.
To deal with malware attacks from fake installers like this, HP advises users to download software from trusted websites and sources.