Adversaries always look for new tricks to maximize the success of their malicious operations. This time cyber crooks are taking advantage of the recent announcement of Windows 11’s broad deployment phase to target users with malware-laced upgrade installers. In case downloaded and executed, unsuspecting victims got their systems infected with RedLine information stealer.
First revealed in 2020, RedLine stealer has been increasingly advertised on the underground forums as a Malware-as-a-Service (MaaS) threat, being available at a price of $150-200 for a monthly subscription or standalone sample.
RedLine is one of the most widely deployed information stealers that can grab Windows credentials, browser information, cryptocurrency wallets, FTP connections, banking data, and other sensitive information from the infected hosts. Apart from the data dumping capabilities, the malware was recently upgraded with additional features that allow its operators to load second-stage malicious payloads and run commands received from the attacker’s command-and-control (C&C) server.
Although the RedLine stealer analysis shows that malware is not incredibly sophisticated, adopting the MaaS model for massive distribution makes the threat a prominent player in the malicious arena.
According to the inquiry by HP, RedLine maintainers increasingly rely on fraudulent Windows 11 upgrade promises to lure Windows 10 users. Particularly, adversaries leverage a seemingly legitimate “windows-upgraded.com” domain to disseminate malicious installers. If users are tricked into clicking the “Download Now” button, MB ZIP archive dubbed “Windows11InstallationAssistant.zip” lands to the system containing RedLine executables. After extracted and launched, victims got the malicious DLL loaded to their device, which turned out to be the RedLine stealer payload.
According to the researchers, the distribution website spotted during the investigation by HP has already been taken down. Nevertheless, hackers have no trouble setting up a new domain and proceeding with the malicious campaign.
Security researchers note that RedLine maintainers successfully benefited from the inability of many Windows 10 users to get a Windows 11 upgrade from the official distribution channels due to hardware incompatibilities. Experts believe that other malware families may follow the same routine, so users should be cautious.
To spot the malicious activity associated with RedLine stealer malware and secure the system assets, opt for downloading a dedicated Sigma rule by our keen Threat Bounty developer Osman Demir.
Fake Windows 11 Upgrade Installer Detection (via process_creation)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, LimaCharlie, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender for Endpoint, Securonix, Apache Kafka ksqlDB, Carbon Black, Microsoft PowerShell, and AWS OpenSearch.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactics with Command and Scripting Interpreter (T1059) as the main technique.
The full list of RedLine detections in the Threat Detection Marketplace repository of the SOC Prime platform is available here.
Sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats within your security environment, improve log source and MITRE ATT&CK coverage, and defend against attacks easier, faster, and more efficiently. Adepts at cybersecurity are more than welcome to join the Threat Bounty program to share curated Sigma rules with the community and get recurrent rewards. Eager to polish your threat hunting skills? Dive into our guide for beginners to learn what are Sigma rules. Also, you can refer to our guide and learn what is MITRE ATT&CK® and how to use it for self-advancement.