RedLine Stealer Spreading from Illegitimate Windows 11 Upgrade

  |  Source: 
HP - ThreatResearch

RedLine Stealer spreading from illegitimate Windows 11 Upgrade

Industry: N/A | Level: Tactical | Source: HP - ThreatResearch

Threat Research from HP has identified the distribution of information-stealing malware, RedLine Stealer posing as an installer to Microsoft's latest Windows 11 OS version. The threat campaign is recent, as one of the malicious domain windows-upgraded[.]com was registered on January 27th, 2022. The fraudulent Microsoft page drops a malicious zip file, "Windows11InstallationAssistant.zip" for users to click the download link. The zip file is hosted on Discord containing "six Windows DLLs, an XML file and a portable executable." Upon execution of the malicious executable file, an encoded PowerShell command runs with a download of a jpg file following a 21-second timeout. The jpg file is actually a disguised DLL file. Once the DLL is loaded, the RedLine Stealer payload is active and able to proceed with data collection and exfiltration as desired by the attacker.

  • Anvilogic Scenario: InfoStealer Malware Behaviors
  • Anvilogic Use Cases:
  • Encoded Powershell Command
  • Query Registry

Get trending threats published weekly by the Anvilogic team.

Sign Up Now