Redline Stealer Archives

A Fake Windows 11 Upgrade Site is Spreading Malware

official upgrades, Ophtek, redline stealer, Suspicious links, upgrade software, Windows 11data protection, Official upgrades, Ophtek, Redline Stealer, suspicious links, Windows 11Ophtek, LLC

Feb 2022

Windows 11 is Microsoft’s latest operating system and PC users should download it as soon as possible. But how do you know your download is legitimate?

Over the last few months, users of Windows 10 will have been prompted to upgrade their operating system to Windows 11. As the upgrade is free, it makes sense to take advantage of this. Not only are there new features and functionality, but there is also an enhanced level of security when running Windows 11. However, not everyone has taken the step of downloading and installing this new version of Windows. As a result of this hesitance, hackers have decided to throw their hat into the ring by setting up a malicious website which promises Windows 11, but delivers malware.

Malicious Promises

The malicious website at the center of the story was ‘windows-upgraded.com’ and, thankfully, it has now been deactivated. Nonetheless, it was live for some time and had the capacity to cause damage to any IT systems it managed to infect. Therefore, we’re going to look at how it operated and the tell-tale signs you need to look for.

By creating a genuine looking website, which used Microsoft’s trademark presentation style, the hackers were able to convince visitors that it was legitimate. A large “download now” button was prominently placed and, when clicked, it would appear to be downloading the Windows 11 upgrade files. However, while the file being downloaded was named ‘Windows11InstallationAssistant.exe’, the true identity of the download was very different.

Visitors who had gone through with the download would actually be downloading a malware tool known as RedLine Stealer. This piece of malware is a classic data thief and, as such, targets sensitive data including login credentials, credit card details and cryptocurrency data. All three of these data types have the potential to cause major damage when they fall into the wrong hands, so the ‘windows-upgraded’ website was considered a significant threat.

The link to this website was spread by several different campaigns. Spam emails, forum posts and instant messaging systems were all used to point potential victims towards ‘windows-upgraded.com’ and, as with all malware campaigns, the hackers knew that a small percentage would click the infected links without investigating further.

Protecting Your PC from Malicious Websites

Although the ‘windows-upgraded.com’ website has now been closed, it’s likely that similar websites will soon be set up to replace it. And, again, people will fall victim to it. But you don’t have to see the security of your data be compromised. By following the advice below, you should be able to remain safe:

Always Use Official Upgrades: if, for example, you are upgrading a Microsoft product, you need to make sure it’s an official upgrade. A new version of Windows will only be available through an official Microsoft website or the ‘check for updates’ section of Windows. Other sources may look genuine, but it’s likely their offerings are far from legitimate.

Check Suspicious Links: all links need to be double checked to make sure they are genuine. While a link may look as though it’s taking you, for example, to an official Microsoft website, the data contained within that link may be sending you somewhere else. But, if you hover your mouse cursor over a link, a popup window will display the true location of the link. Alternatively, if you are suspicious of a link, you can always copy and paste it into a Google search to identify any stories relating to its security credentials.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Hackers Use Microsoft Platform to Launch Malware Attacks

data harvest, Hackers, malware, MSBuild, Ophtek, redline stealerdata harvest, hackers, malware, MSBuild, Redline StealerOphtek, LLC

Jun 2021

Hackers are innovative and industrious individuals, a description which is best demonstrated by their recent leverage of MSBuild to deliver malware.

The Microsoft Build Engine (MSBuild) is an open-source platform which allows software developers to test and compile their source codes. Operational since 2003, the platform has proved to be highly popular with developers and, accordingly, supports a large number of users. And it’s this popularity which has made it so attractive to hackers. By targeting these source codes at a development stage, the hackers are able to piggyback their malicious software into genuine software.

While your organization may not be involved in software development, there’s always the risk that you could end up working with software which is pre-loaded with malware. Therefore, we’re going to take a look at this MSBuild hack.

How are Hackers Infecting MSBuild?

Project files housed within MSBuild can be integrated within executable files which allow the hackers to launch their malicious payloads. But, as ever, hackers have been keen to remain stealthy; the infected payload does not run as a file. Instead, the malicious code is loaded into the PCs memory and it is here that the attack is launched. So far, it has been established that at least three forms of malware have been injected into systems via this approach. Redline Stealer, Remcos and QuasarRAT are the most recognisable forms of malware and have the potential to cause great damage.

Redline Stealer is primarily used as a data harvester and, as such, is mostly employed to steal login credentials and sensitive data. Remote access and surveillance, meanwhile, is the heartbeat of Remcos and allows hackers to hijack PCs remotely. Finally, QuasarRAT is another remote access tool and one which grants hackers full control of infected PCs. Naturally, these three malware variants are the last things you want on your system. And, given that they run filelessly and in the memory of a PC, it’s a threat which is difficult to tackle.

Protecting Yourself Against Memory Based Malware

Malware which operates from within the memory of your PC is difficult to tackle, but not impossible. Start by making sure you carry out these best security practices:

Monitor Network Activity: Regardless of whether a malware attack is file-based or fileless, there will be noticeable changes in your network activity. Any unusual spikes in data transfer or transmissions to unusual destinations should be investigated immediately.

Ensure PCs are Updated and Patched: Many fileless attacks take advantage of hardware and software vulnerabilities. Therefore, it’s critical that all updates are implemented as soon as they are available. This strategy ensures that, even if your PCs memory is breached, the chance of this malware taking hold is minimized.

Disable Macros where Possible: Macros are useful pieces of code that can save users time by carrying out automated procedures instantly. But they can also be manipulated by hackers to carry out malicious procedures. And that’s why many IT departments choose to disable these within organizations except where trusted macros have been tested and verified.

Unfortunately, not all antivirus software can detect fileless malware such as that involved with the MSBuild hack. Conventional, file-based malware leaves behind digital footprints which are easy to detect, but this is not the case with fileless variants. In order to fully protect yourself, check with vendors whether their software has the capability to combat fileless malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Tag Archives: Redline Stealer