Beware Fake Windows 11 Upgrade Installers Bringing RedLine Malware

Slashdot reader joshuark writes: Beware fake Windows 11 upgrades install RedLine malware, reports Bleeping Computer.

"Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware." Bleeping Computer advises, "...these dangerous sites are promoted via forum and social media posts or instant messages, so don't trust anything but the official Windows upgrade system alerts."
Bleeping Computer points out that hardware incompatibilities rule out upgrades for many Windows 10 users from official distribution channels — "something that malware operators see as an excellent opportunity for finding new victims." The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate "windows-upgraded.com" domain for the malware distribution part of their campaign. The site appears like a genuine Microsoft site and, if the visitor clicked on the 'Download Now' button, they received a 1.5 MB ZIP archive named "Windows11InstallationAssistant.zip," fetched directly from a Discord CDN...

Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.

seemingly legitimate "windows-upgraded.com"

[Rockoon]

seemingly legitimate "windows-upgraded.com"

Who the fuck does that seem legitimate to?

Re:

[iamnotx0r]

Maybe, just maybe; "windows" as a OS name was not too smart. No matter how much legal war you try and use, the word is not going to be owned only by Microsoft.

This observation may seem obtuse to some. :)

Re:

[gweihir]

Indeed. But if that was the only non-smart thing MS had done and continues to do....

The sad thing is that fucking over the customer, wasting millions of user-hours, _still_ having a fundamentally insecure system, making their UIs worse and worse, willfully reducing compatibility and thereby obsoleting billions in hardware without need, etc. does not seem to affect their bottom-line at all. Yes, MS is an abuser. But the victims keep asking for more.

Re:

[sg_oneill]

I frusturates the shit out of me thay my 9 month old name brand Ryzen laptop w/ high end RTX gpu, 32g of ram and 2TB of SSD is apparently incompatible with Windows 11 because apparently it doesnt recognize the TPM chip (even though windows 10 absolutely does recognize it).

How did microsofts stupid DRM nonsense break so bad?

Re:

[gweihir]

Well, looks like they will be getting away with it. Again. This does not say good things about the average MS customer.

Re:

[kmoser]

So the inability to "upgrade" to Windows 11 is a *bad* thing?

Re:

[sg_oneill]

Oh look, I've given up on the idea, and friends who have said "Stick with 10". But at some point Microsoft will attempt to fuck the market in a way that means I either upgrade (SOMEHOW) or things will just stop working, like they did with Win 7 and 10.

I mean, 10 works well enough I guess.

Re:

[Anonymous Coward]

They have a long history of using overly-generic names just so they can "own" that word, or at least have an excuse to spam their company name. Or both.

Anyway, if we hadn't let the marketeers run amok with the "someword dot extension", it might have become commonplace to understand that, say, anything microsoft related could be expected to have a full domain name that ended in ".microsoft.com".

So even laypeople might have looked at "windows-update.microsoft.com" and concluded that yes that's okay. And con

Re:

[Joce640k]

Maybe, just maybe; "windows" as a OS name was not too smart. No matter how much legal war you try and use, the word is not going to be owned only by Microsoft.

What difference does it make?

If they'd called it "zunk" the web pages would be called "zunk-upgraded.com".

(shrug)

Re:seemingly legitimate "windows-upgraded.com"

[Deep Esophagus]

I wondered about that, too, but then I thought of my many friends who barely know what the on switch is for. Some are in their 70s and 80s and wouldn't know a firewall from a dumpster fire. On the other hand I'm the same way about anything mechanical, and I have to call on those same folks for help with plumbing or electrical or automotive problems. So we're all idiots at some life skill or other.

Re:

[Darinbob]

If malware pops up a notice on the window, most elderly computer users I know treat that as legitimate. And this is the primary way a lot of scams and hacks take place. Microsoft wants users to treat the internet as a safe place, even though it isn't. That's why they almost always have the dangerous actions as the default; maybe MS is naive and assuming everyone's in an enterprise with a crack team of underpaid support?

So a basic pop-up will fool a lot of people by saying "Windows 11 is available, speed u

Re:

[gweihir]

seemingly legitimate "windows-upgraded.com"

Who the fuck does that seem legitimate to?

Basically any non-expert? You know, the typical victim-population for Microsoft crap.

Re:

[KingBenny]

darwin awards ...

Re:

[Rick Schumann]

Who the fuck does that seem legitimate to?

The typical computer-illiterate types that Microsoft markets Windows to.

Re:

[thegarbz]

Probably the same kinds of people who think Trump would get Mexico to pay for a wall, who think COVID is a hoax, or the moon landing fake, or the WTC was taken down by the CIA, or ... let's face it there's a lot of stupid people in the world.

Re:

[Darinbob]

People who aren't computer experts. People who trust the internet because they're unused to a world where bad things happen. People who think there are gatekeepers and officials to prevent creating web sites that are not who they say they are.

I think a lot of people with computer experience have learned a certain degree of skepticism and paranoia, which does not exist in lots of people, such as many elderly persons. Scams tend to target the elderly for the most part. Even legitimate companies try to tri

Re:

[Casandro]

Well to me it it seems like a perfectly legitimate website... for example for a "Windows" cover band.
https://www.youtube.com/watch?... [youtube.com]

Only trust Windows Upgrade?

[splutty]

I don't even trust Windows Upgrade. I've had to rollback my system to a daily backup several times now after Windows Upgrade fucked things up too badly.

And since we don't seem to have a choice to install things or not anymore since Windows 10, that only makes it that much worse.

Re:

[chipschap]

"And since we don't seem to have a choice to install things or not anymore since Windows 10"

Actually you do. You can always upgrade to Linux :)

Re:

[thegarbz]

What kind of a strange setup do you have that you've had to roll back windows update? How do you break your system so much?

Re:

[fafalone]

None of the programs I write are mission critical stuff but damned if Microsoft hasn't done stuff to break it. One update broke it globally after, for whatever stupid reason, an old UNICODE_STRING API previously stable and unchanged from early Windows through early Win10 simply stopped working, returning nothing but a null pointer. I know I should have but I didn't plan for that and have a graceful fallback, so the ability to list files broke entirely. Nearly every time a major update goes out I start getti

Re:

[splutty]

You really don't need that strange a setup for Windows to break shit.

Try a high end desktop development machine with a lot of game development software, and you can almost guarantee that an update will break things. So that's a rollback and waiting for updates to come out, or abandoning your software. Or hoping your hardware company brings out drivers that Windows don't screw up.

And that's not even talking about the screwups with audio hardware whenever Windows attempts to reinstall Skype...

In other news...

[Joce640k]

In other news: Windows 10 antivirus is completely incapable of detecting this malware despite it being the " the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber"

Re:

[david.emery]

And my moderator points ran out yesterday. +1 insightful, if I could!

Re:

[thegarbz]

Except it's not. The problem is people who think they are smarter than the anti-virus, and just trust the website which says "It's a false positive, trust us".

Re:

[Joce640k]

Have you tried getting something pas the antivirus? You won't get as far as "I trust this" before it's deleted.

Re:

[thegarbz]

Yeah a few times. It's as easy as clicking the threat notification, clicking on protection history, clicking on the item and clicking allow / restore.

It's not hard to bypass Windows Defender.

Fake Windows 11

[PPH]

I knew it! Everything after Windows 7 is malware.

Re:

[JustAnotherOldGuy]

Yep, Win 7 was the last decent version of Windows. I ran it until the Windows 'updates' started knocking it off the air.

After a failed 'upgrade' that hosed the box, I just said "fuck this shit" and switched to Linux Mint. It took about 2 hours to wipe the box and install Mint.

It's been ~3 years now and I don't miss Windows. I still like Win 7 though, it was the best OS they ever made in my opinion.

Meanwhile...

[NagrothAgain]

For some reason Windows has determined my laptop to not be suitable for upgrade. I'm guessing some minor component doesn't agree with it, since it has far more RAM and CPU than the recommendations and is a pretty normal system from a large, well known (and supported) company. But that's perfectly fine with me, I'm in no rush to update. By the time they completely EoL 10 I'll probably have a new system anyhow, and the current one will be running a Linux distro.

Re:

[JustAnotherOldGuy]

Count yourself lucky. I'd breath a sigh of relief.

My only Windows box (for a security system) is also "ineligible" to "upgrade" to Windows 11- some bullshit about TPM or whatever.

And frankly, I'm *GLAD* that Windows will never be able to decide one day that it's time for me to 'upgrade' and do a uncommanded, stealth install of Win 11.

Re:

[thegarbz]

I'm guessing

Why guess when the update tool tells you exactly what doesn't meet the requirements?

And nobody could have anticipated that

[gweihir]

Microsoft continues to fuck over and endanger their customers. Why do so many take it silently or even ask for more? Collective Stockholm-Syndrome?

Re:

[OrangeTide]

They intend to let things run wild for a while so that we're more receptive to trusted computing, TPM hardware in our desktops, and operating-system-as-a-service pricing models. Every tech company wants to control the hardware that you purchased with your own hard earned money. And I fear that one of these times one of them will win this battle and take computing down a terrible path.

Re:And nobody could have anticipated that

[narcc]

I'm not the type to buy into conspiracy theories, but ever since Apple proved that people will accept someone else being in complete control of your device, and the money spend on it, everyone has wanted a slice of that pie.

I mean, after the hell Microsoft went through in the late 90's, Apple's "every browser must be Safari, no competitors allowed" policy must really make them crazy. They'd love to lock out competing browsers! They're really aggressive about pushing Edge now, and it's obvious that they would lock out Firefox the second they thought they could get away with it!

SaaS has been a dream of every shady company for ages. You can only sell an upgrade every few years, and a lot of people resist change. I've happily been running Office 2007 since 2013, and haven't felt the need to update. (docx finally forced my hand.) That's why they're pushing people to Office 365. They get to sell you the same product every month!

I honestly don't know how Microsoft and Adobe get away with it.

We need to resist this trend. Use and recommend open source alternatives, refuse to use the Windows store, and don't buy subscription software. Oh, and stay away from Google docs. It's a trap.

Re:

[gweihir]

We need to resist this trend. Use and recommend open source alternatives, refuse to use the Windows store, and don't buy subscription software. Oh, and stay away from Google docs. It's a trap.

Indeed. I fear too few people see what is going on though.

Re:

[gweihir]

While that would be completely evil, it is MS we are talking about here. So yes, makes a lot of sense to me.

Hoe cunning...

[ebcdic]

.. a malware installer disguised as a malware installer.

Doesn't work

[JustAnotherOldGuy]

I downloaded the installer from "windows-upgraded.com" but it refuses to run under Wine no matter what I do.

It'll never be the Year of the Linux Desktop until we Linux users can run Windows malware easily and without jumping through a lot of hoops.

Re:

[dddux]

Thanks, your post made me LOL pretty hard. :))

Re:

[Jetstream]

Well, duh. Did you check the Wine Compatibility List first to see if that particular malware has a Gold rating?

Fake Windows 11 Upgrade Bringing Malware

[UnknowingFool]

As opposed to the real Windows 11 Upgrade that brings malware—thanks I'll be here all week. Try the fish.