Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.
The timing of the attacks coincides with the moment that Microsoft announced Windows 11’s broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation’s success.
RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.
The campaign
According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate “windows-upgraded.com” domain for the malware distribution part of their campaign.
The site appears like a genuine Microsoft site and, if the visitor clicked on the ‘Download Now’ button, they received a 1.5 MB ZIP archive named “Windows11InstallationAssistant.zip,” fetched directly from a Discord CDN.
Fake website used for malware distribution (HP)
Decompressing the file results in a folder of 753MB of size, showcasing an impressive compression ratio of 99.8%, achieved thanks to the presence of padding in the executable.
When the victim launches the executable in the folder, a PowerShell process with an encoded argument starts.
Next, a cmd.exe process is launched with a timeout of 21 seconds, and after that expires, a .jpg file is fetched from a remote web server.
This file contains a DLL with contents arranged in reverse form, possibly to evade detection and analysis.
Finally, the initial process loads the DLL and replaces the current thread context with it. That DLL is a RedLine stealer payload that connects to the command-and-control server via TCP to get instructions on what malicious tasks it has to run next on the newly compromised system.
RedLine execution and loading chain (HP)
Outlook
Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.
Windows 11 is a major upgrade that many Windows 10 users cannot get from the official distribution channels due to hardware incompatibilities, something that malware operators see as an excellent opportunity for finding new victims.
As BleepingComputer reported in January, threat actors are also leveraging Windows’ legitimate update clients to execute malicious code on compromised Windows systems, so the tactics reported by HP are hardly surprising at this point.
Remember, these dangerous sites are promoted via forum and social media posts or instant messages, so don’t trust anything but the official Windows upgrade system alerts.
Being a statically linked, single binary, installation is fairly easy. Configuration is also fairly simple. However some people know more then others. This guide will is intended to help anyone host their own bridge.
Go to https://github.com/42wim/matterbridge/releases/ and Download the binary for your system. This is most likely going to be windows-64bit.exe. Put it into the folder of your choice. I would recommend making an empty folder, but it is not required that you do so. Open a command Windows by clicking an empty part of the windows to make sure nothing is selected. Them press shift+right-click and select either “Open in Windows Terminal”, or “Open Powershell Window Here”.
This should open a command window that you can run the app in. Run .\matterbridge-1.22.2-windows-64bit.exe in the command window. If all is well, you should see an error like the one below saying that it cannot load the config file. This is normal as we have not created it yet. Proceed to the Configuring section to build the config file.
From a command shell, make it executable by running chmod +x matterbridge-1.22.2-linux-armv6, replacing matterbridge-1.22.2-linux-armv6 with the file you downloaded. Run it with ./matterbridge-1.22.2-linux-armv6, substituting as necessary. If all is well, you should get an error saying that it cannot read the config file. We will build it next.
Other platforms
I do not have other systems to test it on. However, the commands are likely to be similar to the ones for Linux. I also expect that you know more about your system that I do, and that you know how to download a file and run and application on it.
Matterbridge uses gateways to bridge different protocols together. Gateways are like a hub where messages are sent to, then copied by each protocol driver. Multiple gateways can be configured, and one instance can have multiple gateways running. A protocol can be setup multiple times. Each configuration on a protocol is called an instance throughout this guide.
One the app is created, you will be taken to the general information page. Here you can Rename your app or give the app an optional Description and image. You can change the information here at any time. Once you are ready, click the Bot link on the left side to open the Bot page.
On the Bot page, click Add Bot, then Yes, do it!. This will create a new bot. You can also create a new bot on an existing app as well.
We are now ready to create the configure Matterbridge to use the bot. Create a config file if you haven’t already. Paste the following code snippet near the top of the file.
[discord.mydiscord]
# You can get your token by following the instructions on
# https://github.com/42wim/matterbridge/wiki/Discord-bot-setup
# in particular that the "Members Intent" checkbox is important.
# If you want roles/groups mentions to be shown with names instead of ID,
# you'll need to give your bot the "Manage Roles" permission.
Token="YOUR_TOKEN_HERE"
Server="name or uid of guild" # picked from guilds the bot is connected to
RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
Replace YOUR_TOKEN_HERE with the bot token. You can get it by clicking Copy button which will copy the token to your clipboard. Paste it into the config file. We will get the server id next.
In order for the bot to work, you need to enable Server Members Intent. Scroll down to Privileged Gateway Intents and enable the Server Members Intent switch.
Now you will need to add the bot to the server you want to bridge. Click the OAuth2 button and select bot under scopes, then click the Copy button. This will give you the URL to add the bot to the server with. Paste it in a browser tab and press enter to go to the page.
Select the server that you want to add the bot to from the dropdown and click Authorize. Note: You will need to have Manage Server permission on the server to add the bot to it.
Once the bot is added, you will need to get the server ID. To do so, go to your user setting > Advanced and enable Developer Mode.
Close the Settings page and open the server you added the bot to. Right+Click on the server name and click Copy ID. Just clicking on the Server name will not work. Go back to the config file and set the Server field to the ID you just copied. You are now ready to add the instance to a Gateway. Set the Channel in the gateway to the Channel name in the server.
To create a bot, start a chat with @botfather in Telegram. Click start to begin a conversation. Send /newbot. Give it a name and a username. Usernames are 5-32 characters long and are case insensitive, but may only include Latin characters, numbers, and underscores. Your bot’s username must end in ‘bot’, e.g. ‘tetris_bot’ or ‘TetrisBot’.
Creating a bot with BotFather. Using Unigram, an unofficial Telegram client.
Next, you need to set the Privacy mode of the bot to disabled for Mattermost to work properly with the bot. Otherwise it will only relay mentions. Do so by sending /setprivacy. Select Disable when prompted.
Setting the bots privacy mode with BotFather. Using Unigram, an unofficial Telegram client.
Add the following template to your config. Replace Yourtokenhere with the token you got from BotFather.
Creating a Matrix bridge could not be more simple. First, create a dedicated user for your bot. This is not required, but Matterbirdge will not relay messages from the account it is logged in as.
Second, paste the following code block into your config, filling in the appropriate fields
[matrix.mymatrix]
#Server is your homeserver (eg https://matrix.org)
Server="https://matrix.org"
#login/pass of your bot.
#Use a dedicated user for this and not your own!
#Messages sent from this user will not be relayed to avoid loops.
Login="yourlogin"
Password="yourpass"
RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
#Whether to send the homeserver suffix. eg ":matrix.org" in @username:matrix.org
#to other bridges, or only send "username".(true only sends username)
#OPTIONAL (default false)
NoHomeServerSuffix=false
Last, you will need to get the room ID. While the room name sometimes works, I have not had much success with it. To find it in Click on the room name > Advanced, and save the Internal room ID field. This is what you will use for the channel later.
Configuring your gateway(s)
One of the nice things about Matterbridge is that is supports having multiple gateways, and multiple bridges in each gateway.
To create a gateway, go to the bottom of the config and create a gateway, using the following as a sample. Replace protocol with the protocol name, and myprotocol with the bridge name. Repeat with as many gateways as you want. Just make sure to give each gateway a uniqure name.
I have grown up in a all windows environment, until about a year or 2 ago when I got a Linux laptop from my grandpa. The mobile operating systems in my house today are all Android, unless you count the school iPads (which I strongly dislike). I have also used Macbooks (which are almost an entirely different beast from iPads) last year, also for school. That puts me in a good position to compare and contrast these operating systems.
Notice! This is still a draft.
I have used many operating systems. Let me elaborate.
I have grown up in a all windows environment, until about a year or 2 ago when I got a Linux laptop from my grandpa. The mobile operating systems in my house today are all Android, unless you count the school iPads (which I strongly dislike). I have also used Macbooks (which are almost an entirely different beast from iPads) last year, also for school. That puts me in a good position to compare and contrast these operating systems.
Comparing Windows to Linux is like comparing Houses to Skyscrapers. They both run apps and have a kernel (that not so little binary that makes all the magic happen). There is not to much to compare. But here is an attempt.
User interface
Windows is a GUI based OS. While some stuff can be done from cmd.exe, or more recently, powershell, unless you are using windows server core and Microsoft products, you are going to be forced to use a GUI. Linux, on the other hand, is driven from the command line with graphical interfaces built on top of linux commands.
Usability
Windows is fairly easy to use. Linux is harder to judge, depending on what tools you have. If you install a desktop environment such as Gnome, KDE, or Xfce, you get many GUI based tools. If you are a hardcore command line user, there are also many console driven applications available as well. You can also go modifying configuration files directly as many are plain text files.
Customizability
Being closed source, to customize Windows, you are limited to either to using what Microsoft has allowed, or reverse engineering. Linux, on the other hand, has infinite flexibility. Do what you want with it. If you wan’t, you could even make it run on your washing machine or microwave. Someone has even ported it to play station.
Newbe friendliness
Windows is fairly friendly to new users. Linux depends on what environment you have set up. When running a fairly complete desktop environment such as Gnome, KDE, or a fork of one of these, there are generally several tools that are included that can help all users. Plus, it is very easy to create configuration tools for linux because of it’s design. While windows does provide some GUI tools, they may not be as friendly as Linux tools, and there are not many alternatives
App compatibility
Windows is the most popular OS therefore many apps (and drivers) are written for windows first (oftentimes only for Windows). However, many apps are written for Linux (many of these apps are written for Linux first, then ported to Windows (or sometimes just work on Windows without much tinkering) by the community. Therefore, you should make sure that the apps you want work on your chosen OS. However, utilities such as cwygen (Linux on Windows) and Winehq (Windows on Linux) help with compatibility. However, you still need to ensure they work.
My opinion
I personally love Linux. However I like Windows as well. I will not say one is better then another without knowing the intended use case (at which point I would say better for…). I feel that each OS has their own strengths and weaknesses. Personally, unless somthing works better on Windows, I would stick with Linux, but everyone is different.
Windows VS. MacOS
Comparing Windows to MacOS is similar to comparing Windows to Linux, however, MacOS is easier to compare with as there is no Varity.
User interface
Both Windows and MacOS are designed to be driven with a GUI. Both have command line tools available. However these tools may not be as complete as the GUI counterparts.
Usability
Both Windows and MacOS are fairly user friendly. However, users coming to MacOS are likely to be confused for a bit due to the big differences in user interfaces.
MinecraftChest1's garage 