While we’re often advised to wait before downloading OS updates until the bugs are worked out, sometimes excitement just gets the best of us. One particular hacker counted on users salivating at the chance to download a new OS and released a fake Windows 11 installer loaded with malware.
HP Discovers Fake Installer
It was HP that noticed the fake Windows 11 installer and not a security firm, for a change.
HP explained in a blog post, “The domain caught our attention because it was newly registered, imitated a legitimate brand, and took advantage of a recent announcement.”
On January 26, 2022, Microsoft announced the last group of PCs to be eligible for Windows 11. One day later, HP found the impostor on a website carrying the domain “windows-upgraded[.]com.”
This domain had all the bells and whistles it needed to look legitimate – and, of course, included a “Download” button. What is downloaded, though, is a Trojan that can steal your passwords or other data.
Malware Instead of WIndows 11 Installer
While you’re feeling pleased after finding this installer, you soon won’t be when your PC is filled with malware.
After punching the Download button, the file you’ll receive is a 1.5MB ZIP file with the name “Windows11InstallationAssistant.” Unzip the file, and it will now be 753MG, as the hacker added “padding” to the code.
“One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an antivirus and other scanning controls, thereby inceasing the chances the file can execute unhindered and install the malware,” further explained HP.
If you try to install Windows 11 from this file, the RedLine Stealer malware package will be downloaded to your PC. This is available in underground cybercriminal forums and is capable of stealing passwords and data that auto-completes in your browser.
This operation is similar to one HP analyzed in December 2021. The hacker used the domain “discrodappp[.]com” and was impersonating a Discord installer. Both this domain and the one for the fake Windows 11 installer used the same domain registrar, DNS servers, and type of malware. The more recent domain is no longer online.
To go along with warnings to not download updates right away, if we do rush to download, we should also be aware of hackers trying to take advantage of the situation, which could be much worse than buggy software. There are bound to be more hackers planning similar, yet more stealth, efforts next time.
