Recently, installers claiming to offer users an upgrade to Windows 11 have been appearing, mimicking the appearance of the official Microsoft website, but hidden behind their download buttons is a zip archive of malicious files containing a malware called RedLine.
These websites appeared after the recent Microsoft announcement that they were advancing the pace of the rollout of Windows 11’s broad deployment phase due to high demand and an upgrade rate twice what was seen for Windows 10. This suggested that the attackers were anticipating such an announcement to come from Microsoft, and had been lying in wait for a spike in demand for the new version of the OS.
What is RedLine?
RedLine, more formally known as RedLine Stealer, is a password grabber that sits in the background and monitors the autocomplete fields of your browsers for data such as passwords, credit card information, and other saved credentials. It is widely available on underground forums, and even offers a monthly subscription for updates. Since initial development, it has also gained the ability to steal cryptocurrency from devices it has infected.
RedLine isn’t exactly new, and has been around since long before these fake Windows installers. The earliest mentions of RedLine were in early 2020, associated with a fake email campaign for the Folding@Home application, which allows users to volunteer processing power for medical research.
According to the Have I Been Pwned data breach monitoring service, as of the end of 2021, 441 thousand accounts have been stolen by RedLine, through various phishing campaigns, YouTube scams, and fake websites.
Through monitoring of dark web data market sites such as ‘2easy’, it has been determined that around half of sellers are using RedLine as their information grabbing malware of choice, or as part of a set.
How can I tell if I’m using a legitimate website?
Given the history of RedLine, as well as the recent appearance of the fake Windows 11 installers, it is likely that more fake sites containing RedLine or other malware like it are on their way.
Some good methods for protecting yourself from fake sites are as follows:
- Keep an eye out for out of place advertisements. If a website is prioritizing advertisement revenue over the revenue of their software, they probably aren’t actually selling the software in question.
- Trust your browser’s instincts. If your browser gives you a warning before you proceed to the site, or tries to stop you from accessing it entirely, it is probably a good idea to listen to it unless you are absolutely sure of the identity of the site you are trying to access.
- Do NOT disable your firewall. If the site you are downloading from asks you to disable your firewall to complete the download of the software, stop the download and exit the site. Your firewall is one of your best lines of defence against malware and by disabling it you leave your computer vulnerable.
- Be wary of big discounts. If a website is offering data at a huge sale, or even for free, there is probably something going on behind the scenes. If you really want to take up the offer, try to separately verify that the company in question has actually put out the software at a discount.
References:
https://www.zdnet.com/article/this-password-stealing-malware-posed-as-a-windows-11-download/
https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2
https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/
https://www.hotbot.com/blog/how-to-tell-if-youre-using-a-safe-download-source/
Wow, the screenshot of the website in your post looks very legitimate at first glance. They even managed to get an SSL certificate, I wonder who issued it to them? I can’t help but think that the most vulnerable populations to these sorts of attacks are seniors. It’s heart-breaking to think that someone would go after an older person who may not even be aware of the attack after-the-fact. Although, this does seems consistent with the principle of “attacking the weakest point”. If only they tried to make a career out of being a web-designer, but I guess that doesn’t pay as much.
As for being “safe”, it depends on how you define safe. Bug free? No. That’s the point of beta testing, to ferret out and fix as many bugs as possible before final release. And it’s entirely possible for some as yet undiscovered bug in some obscure combination of software/hardware to cause data loss.
It is safe inasmuch as it is complete enough that it installs and runs problem free in most situations.
Bottom line is at this point, you use it at your own risk.
If you watched any famous YouTube video, you would have seen them say that it is not safe to install it on your main computer because it may contain virus, malware, or spyware. Since it is not officially released and is just a leaked developer preview, I don’t think you should take a chance and download it. Please wait until it is released officially.
By the way, It was a great post on latest topic. I got indulged for at least one hour as it was an interesting topic. Thank you.
Hi, one thing I noticed is that the website looks very realistic! If this fake promotion page was offered to me, I would’ve fell for the trick. I also thank you for the methods that you have provided us, as I didn’t know firewalls are very important software that protects us from hackers! These are the reasons why I don’t download random stuff from internet unless the softwares are verified and have a good review! I feel bad for the victims that are still getting scammed today as they are innocent peoples. I really hope these scammers get caught and get the punishment they desrve as they have made many victims.
Very informative post here. It is something very relevant and should be read by many people with windows and are looking to update. It is crazy to think how hackers are sometimes a step ahead and prepare for things like new updates to computers. This is why it is important to always do a quick eye check to double check the websites we are on. People can always make up a similar website but change a very minor part of the URL! Thank you for sharing
It’s scary to see that malicious websites like these are adapting to high-level marketing schemes to catch the interest of users. From the photo that you included in your article, it’s really hard to distinguish the legitimacy of the ad and this is what’s so effective about these baits. Furthermore, besides the search bar, the website even has a certified security badge, making it even more believable.
I think it was very helpful that you provided the security tips near the end of the post. They provide an excellent model for safely surfing the web. Just to add an extra layer of security to the list, I would also include some type of ad blocker extension to limit the possibility of encountering these hostile ads.
Nice post! I recently read an investigative article on the RedLine Stealer software, and the lesson to be learned from it, is that you should avoid saving your passwords in web browsers. Instead, one should consider using a dedicated password manager that stores everything in an encrypted vault. Furthermore, e-commerce applications and other sensitive applications should be configured specifically, to require manual credential input to avoid falling into pitfalls created by RedLine Stealer. In addition, RedLine can be purchased for about $200 and thus is relatively cheap, and likewise, can be deployed without requiring much knowledge. This provides insight into the convenience that it offers for those with malicious intent. Lesson to be learned? Don’t always trust your computer to keep your information safe, be vigilant!
It is sad because the website looks very realistic and I could even be a victim of this attack. It’s good that you also gave methods to verifying if websites like this are fake.
This is a very good post! I heard a little bit about RedLine before reading this but, it’s very scary how legitimate these websites look. People who are not careful enough could easily fall victim to the malware, especially if the website looks real enough. The methods for protecting yourself from fake websites are definitely useful to keep in mind, for keeping your information safe and secure.
I didn’t register to me until a little after reading your post that we live in a time where there a paid subscription services for malware. I think it would be interesting to see how Redline combats security measures, especially considering that it is readily available to those who know where to look. You would think that, for example, someone at Microsoft could purchase and subscribe to a Redline Stealer distributer and reverse engineer the software so that Windows 10/11 detects the software if it is about to be downloaded. Either Redline is less accessible than I think, or perhaps it is polymorphic so that security measures have trouble defending against it. For some people, it definitely seems like there needs to be a way to prohibit or EXPLICITLY warn people not to download software if it can be detected as Redline Stealer. Either way, Redline has to be doing something right to infect over 441 thousand PCs, so the problem is probably more complex than I think. That, coupled with the fact that ignorance is always a prominent factor: if people want to download free/early Windows 11, they will download free/early Windows 11, regardless of a warning. Thank you for the interesting post.
Nice Post!! The fact that I have seen this and I was willing to update it to windows 11 is scary because considering that there is a malicious file within the update would ruin my computer and I would lose all my confidential private documents, I will make sure to follow the given precautions, and I hope other people don’t fall for it and be safe
That was a well written post! Its so scary how its looks exactly the same and is realistic. The scary aspect is that, these links doesn’t appear to many to be a simple trap to avoid plus they largely target people who are not technically advanced and are easily fooled. I agree with the point stated that if the browser showed a warning sign we should listen to it. Personally I should start to be more precaution downloading new updates because I haven’t heard about that before and I always download new updates without even making sure that the website is secured or not. Thanks for that post.
I feel like attackers mimicking a Windows 11 download is a very bold move, considering it’s indirectly affecting one of the biggest tech companies in the world, Microsoft. It totally makes sense though for attackers to hop on this. Considering everyone is upgrading to Windows 11, that makes those users easy targets. And when I say everyone, that includes those who may not be the most technically savvy and/or don’t fully read/pay attention to what they are downloading, making them easy targets. I wonder how diligent Microsoft has to be when they deploy a new OS/update. I’d assume it’s a 24/7 job to make sure people aren’t being taken advantage of.
It’s insane that 441 thousand accounts have been hacked using Redline, imagine the amount of personal information that could have been leaked and especially stuff like credit card information. Though I am surprised as to how are they able to add monthly updates without completely comprising themselves as someone should just be able to buy it and try cracking it.
Another point I would like to add to be secure is to download as little as possible from websites and only download if you are very trusting of the site.
What an interesting post.
It is not very difficult to fall for these scams, especially when the website looks so legitimate at the first glance. It is crazy how 441 thousand people have been victim of the Redline scams. The only way to be safe from these scams is to double-check before doing literally anything on the internet.
Hello, this is a really fascinating post! I have to agree that if this phoney promotion page had been presented to me, I would have fallen for it. I really appreciate the solutions you’ve offered, since I had no idea firewalls were such crucial tools for protecting us from hackers! These are the reasons why I never download software from the internet unless it has been validated and has a positive review! Though somehow, I had to get some online games like cyberpunk for my laptop, I got a cracked version of it online and got it downloaded and I don’t even know what vulnerabilities it has and what wrong can happen tomorrow morning to my computer. This scares me a lot! By the way, this was really a nice post that caught my interest.
Very informative post! I was browsing through google few days back for a fix in windows 11 and I saw this website and it seemed legitimate. After reading this post I feel scary downloading anything from the internet. I would also like to say that discussing about if a website is legitimate or not in your post was very helpful. Thank you.
The thing I find most fascinating about this is how one particular ‘brand’ (if you want to call it that) of malware is so dominant over the others. I would hope that with the knowledge we have about RedLine’s popularity that antivirus companies could take extra measures to specifically target, identify, and quarantine RedLine. I don’t know a whole lot about this though so I doubt it’s that simple. I’m sure those monthly updates probably would put just as much, if not more effort into getting around any concentrated efforts against RedLine. Still, 400+ thousand accounts is… a lot, and it’s certainly concerning when considering the growing threat of malware as adversaries become more advanced with every month that goes by.
The easiest way for me to identify a fake website was to look at the website. Usually hackers do not have much money, therefore the interface does not “look” real and there are usually tons of grammatical mistakes. However, now this rule of thumb does not apply anymore. I am from Bangladesh, a third world country, where day to day people go to random websites to download softwares, songs and many more things. An average user will never understand that a website is fake and the file they are downloading can cause more harm than good. I, myself, am always in doubt if a website is safe to use. Therefore, I tend to download things from Microsoft store or play store, but I just read another blog stating even Microsoft store has apps that can contain malware. So where should we go to find what we need? In a world where everything is almost digital, risks of getting pawned is increasing exponentially.
This is similar to phishing programs created through emails. Microsoft is launching its new Windows 11 operating system, and most users are trying to experience this new version. Phishing apps that exploit people’s curiosity are always hard to defend against. I have a very similar situation here. I downloaded the wrong installation package when I tried to install the Android subsystem on a Windows device, but the virus was blocked and removed by firewall software. People should definitely take extra care in this area to prevent this from happening.
Good Post! I find it particularly interesting that the Redline malware has a form of monthly subscription for updates. I feel like this feature demonstrates the sheer profitability that these types of malware can bring in. The fact that users would be willing to pay a monthly subscription for access to the most recent version of Redline shows that those using Redline are using it to rake in revenue. This fact is also rather disturbing as it reflects that the developers behind Redline are continuing to update it and are finding new ways around new security developments, in order to continue attacking unsuspecting users, despite whatever new security measures are put in place
Very interesting post!
To be honest, I cannot identify that the website you provided at the beginning of your blog is a fake Microsoft website. At least, I cannot find any difference between the real Microsoft website and this fake website.
I agree with your points in your blog. What I always do to deal with this kind of problem, is to go to the main page of an official website first, then manually click the links on the main page to go to the corresponding web pages that I want to browse. I think this is a good way for us to protect ourselves from being scammed or phished by the scam websites.
Very interesting topic. I did come across a lot of similar sites when I was browsing. They impersonate other websites, which makes it easy for people to become victims. I would like to thank you for giving us a way to tell if a site is fake, and I hope people are educated to avoid falling victim to phishing sites.
Really interesting post. You mentioned that the website was impersonating the Microsoft windows 11 website, and tricking users that way. Does the fault then lie on Microsoft for allowing someone to impersonate them with so much impunity? Should they do something about this?
Thanks for an informative post! I would suggest update Windows right inside setting > Windows Update instead of downloading online. I once asked to turn of the firewall to finish the installing process by an app (which I cant remember). However, it rejected to do so and gave up installing that app. I now think it was a right decision that I made to protect my computer.