A campaign has been identified that uses the offer of a free Windows 11 upgrade as a lure to trick people into installing Redline Stealer malware. The Redline Stealer is offered for sale on hacking forums for between $150 and $200 under the malware-as-a-service model. The malware is a popular choice with cybercriminals due to the relatively low cost, ease of use, and the range of sensitive data that the malware can steal.

Redline malware can steal autocomplete data, cryptocurrency, credit card information, FTP and instant messenger credentials, and credentials stored in Chromium-based web browsers. While passwords stored in browsers are encrypted, Redline malware can programmatically decrypt passwords provided the malware runs as the user who was infected. If the user does not store passwords in the browser, the malware can still steal valuable information from browsers, including the sites the user visited and chose not to store a password. Phishing emails can then be crafted targeting those credentials or credential-stuffing attacks could be performed on the accounts for those sites. There have been many cases of Redline malware being installed on endpoints that have antivirus software installed, where the antivirus software has failed to detect and block the malware.

Redline malware is commonly distributed via phishing emails containing an embedded hyperlink to a malicious website, with social engineering tricks used to convince the user to download and run the installer. This approach is often used to target businesses.

Recently, researchers at HP uncovered a campaign that uses a spoofed Microsoft domain offering visitors a free Windows 11 upgrade. The upgrade is offered on the domain windows-upgrade.com, which is a professional-looking domain designed to look like an official Microsoft website. If users click the ‘Download Now’ button, it will trigger the download of a compressed file called Windows11InstallationAssistant.zip, which is downloaded from a Discord CDN.

The zip file contains an executable file called Windows11InstallationAssistant.exe, which will trigger the infection process that will ultimately deliver the Redline stealer payload with no further user interaction required. Now that the domain has been identified as malicious it has been taken down, but the campaign is likely to be relaunched on different domains.

Software installers have long been used for delivering malware, sometimes the installers are fake and only deliver a malicious payload, while others install a genuine application or software but also bundle in malware, spyware, or adware. In the case of the latter, users will likely be unaware that anything untoward has happened, as they will have installed the software they intended to download.

Malicious software installers are often found on peer-2-peer file-sharing networks, legitimate websites that have been compromised, and attacker-owned domains. Search engine poisoning is frequently used to get links to the malicious websites appearing high in the organic search engine listings for key search terms, often those used by businesses. Malicious adverts – malvertising – are often used to send traffic to malicious websites via the third-party ad blocks displayed on legitimate websites. Links to malicious websites may also be added to phishing emails.

While an advanced spam filter can protect against phishing emails containing malicious links, it will do nothing to prevent users from visiting websites hosting malware through web browsing. To protect against web-based attacks, businesses should use a web filter.

A web filter can be used to restrict access to certain categories of website, such as those serving no business purpose. Web filters are fed threat intelligence and use blacklists of known malicious web pages and will prevent access to those web pages or websites. It is also possible to configure a web filter to prevent the downloading of certain file types from the Internet, such as those commonly associated with malware.

Web filters are an important cybersecurity control to add to your arsenal to improve your defenses against malware and ransomware, and they are also effective at blocking the web component of phishing attacks by preventing employees from visiting the websites where credentials are harvested.

TitanHQ has developed an easy-to-use and powerful DNS-based web filter for SMBs, enterprises, and managed service providers. WebTitan Cloud is quick and easy to set up and configure and will allow you to enforce acceptable Internet usage policies and filter out malicious websites in minutes. WebTitan Cloud can protect users of wired and wireless networks, and even remote workers by installing a lightweight client on corporate-owned devices.

If you want to improve your defenses and block more threats, contact TitanHQ for further information on filtering the Internet with WebTitan.