Look out — this Windows 11 installer is really malware
It'll steal your passwords and cryptocurrency
Installing Windows 11 isn't that easy for many existing computers, thanks to the software's stringent hardware requirements. That's led many Windows 10 users to search for workarounds that dodge such obstacles.
But be careful, because one supposed Windows 11 installer is really the RedLine stealer, a well-known piece of information-stealing malware that will infect your web browser and swipe your passwords, credit-card numbers, login-session tokens and even cryptocurrency tokens. (RedLine is one of several reasons you should not let your browser save your passwords.)
The malware was being distributed from a website at windows-upgraded[.]com, HP malware analyst Patrick Schläpfer reported in an official HP blog post yesterday (Feb. 8). HP noticed the bogus website Jan. 27, the day after Microsoft announced that Windows 11 would be available as a free download for all eligible devices.
"This campaign highlights once again how attackers are quick to take advantage of important, relevant and interesting current events to create effective lures," wrote Schläpfer. "Prominent announcements and events are always interesting topics for threat actors, which can be exploited to spread malware."
- A quality Windows VPN is the simplest way to protect yourself online
How the fake Windows 11 installer works
The site looked just like an official Microsoft site, right down to the OS maker's logo, site layout and minimalist design aesthetic. "Get Windows 11" was prominently displayed, and underneath that was a button that said "DOWNLOAD NOW."
If you clicked that button, Schläpfer said, you'd reach out to a Discord storage server and download a 1.5MB compressed file called Windows11InstallationAssistant.zip. Unpacked, the file expanded to a whopping 753 MB — a compression ratio of a phenomenal 99.8%, Schläpfer noted.
It turned out that a lot of the 751MB main file, Windows11InstallationAssistant.exe, was just padding consisting of repeated zeroes, hence the extreme compression ratio. Why would it need so much padding?
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
"One reason why the attackers might have inserted such a filler area, making the file very large," wrote Schläpfer, "is that files of this size might not be scanned by an antivirus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware."
If you run Windows11InstallationAssistant.exe, you get a command-line operation that lasts exactly 21 seconds, then downloads what looks like a JPEG file called win11.jpg.
Sounds harmless, right? Not quite — if you read the JPEG's code backwards, you get a dynamic-link library (DLL) file that contains the RedLine information stealer, a payload that lands in your lap when you run the purported "Installation Assistant" on your PC.
RedLine "collects various information about the current execution environment, such as the username, computer name, installed software and hardware information," Schläpfer explained. "The malware also steals stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets."
Even though the windows-upgraded[.]com site is no longer up, it will be easy for the crooks to try again at a different domain, or even to use a different lure. In fact, Schläpfer noted that the same baddies seem to have been behind a very similar campaign back in December that used a fake Discord installer site to distribute RedLine.
How to protect yourself from this malware attack
To protect yourself from RedLine and other forms of malware, check the URL (web address) of every site from which you download software, and run each installer file through an antivirus scanner before you open it. (Most of the best Windows antivirus programs recognize RedLine for what it is.)
And use common sense — a random website that doesn't have "microsoft.com" in the domain name but offers Windows installations anyway isn't likely to be legit.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.