Are you ready for Windows 11?

Endpoint Central | March 4, 2022 | 3 min read

Windows11 trojan

Windows 11 is coming. Ever since its release in October 2021, users have been checking for updates, eagerly waiting to upgrade. Microsoft’s requirements are stricter than usual, and thus the feature rollout is coming in episodes. Existing Windows 10 users can download it for free. For the rest, there are a few compatibility checks before upgrading.

One fine January morning, after four months of users patiently waiting, the broad deployment phase of Windows 11 for eligible devices was announced. No sooner was this announced than a surge in traffic occurred with users storming the internet, wondering if their endpoints were compatible. Almost as if satiating their hungry, curious minds, Windows upgrade advertisements popped up on social media, asking users to click and download the update. Little did they know that what they were installing was malware in disguise.

The malware was disguised as a fake Windows 11 upgrade installer, tricking users into downloading and executing it. HP reported that the malware was hosted from “windows-upgraded.com” to cleverly fool users’ eyes. When they clicked the download now option, they received a 1.5MB ZIP file named “Windows11InstallationAssistant.zip.”

The file could be decompressed, thanks to the padding in the executable, resulting in a 753MB folder with a compression ratio of 99.8%. When a user tried to run the program, a PowerShell process with an encoded argument began, after which a cmd.exe started, with a timeout of 21 seconds. Once the timeout expired, win11.jpg was downloaded from the remote web server.

To avoid detection and analysis, this dynamic-link library (DLL) had its contents reversed. In the initial process, this DLL was loaded and executed itself. It again replaced itself for the current thread context with the downloaded DLL. To receive further instructions, it opened a TCP connection to a configured, connected server, in this case 45.146.166[.]38:2715. This is RedLine Stealer, which when deployed steals all the autofill passwords, browser cookies, and credit card and cryptocurrency wallet information.

The root cause of any malware attack can be attributed to two main things: negligence on the admins’ side and ignorance on the users’ side. Why negligence? Admins, due to their tremendous workload, sometimes forget to check for version updates. They are always held up with tickets. They also can’t keep moving from endpoint to endpoint to verify if the OSs are up-to-date.

Then there are some ignorant endpoint users who hardly ever think twice before clicking updates or clickbait. They have no idea what permissions they’re giving to the applications they install. (Or, in the case of an insider threat, a spiteful user seeking to damage their organization could purposely install malware and feign ignorance.)

Take the case of Tencent, for example. Many of us have probably installed a Tencent app or game at some point. We did not know what permissions they asked for but simply allowed them. The apps then collected sensitive information from us that has been exploited, posing major threats to both individuals and governments.

In the blink of an eye, your organization is bound to lose money if its data falls into the hands of threat actors, and this can also result in business disruption. When you respond to the data breach, trying to make up for all that is lost, the damage is already done. Your organization’s reputation is tarnished, and your customers’ goodwill is diminished.

In a widespread organization, how do you ensure users don’t download a fake Windows 11 installer? In back-to-office scenarios, how do you ensure all endpoints are compliant? When it comes to a global organization that’s running 24/7, how do you deploy software upgrades without disrupting business?

According to IBM’s Cost of a Data Breach Report 2021, system complexity and compliance failures were the top factors driving up data breach costs. Moving to the cloud or digitizing your organization is not enough. What’s more important is how you tend to the endpoints, checking for the smallest things, such as an update.

Things you should consider

  •  Both software deployment and application management are routine, mundane tasks. For organizations of all sizes, automation is key. Humans overlook; AI doesn’t. So you can deploy software and trust AI to finish the job. ManageEngine has many solutions that cater to such needs. Ensure you invest in an automated solution that deploys applications quickly and, most importantly, is secure.
  •  Select a tool that offers automatic updates. This ensures you don’t have to check for them regularly and you won’t miss any.
  •  When you are not sure what your users’ requirements will be, select a product that has a self-service portal feature.
  •  When it comes to a real-time production scenario where the bandwidth is low, consider deploying software bundled with OSs.
  •  When it comes to onboarding, bundle the basic software and applications together as a package and deploy them when a new employee joins.

If you are struggling with software deployment or application management, do check out Desktop Central, our holistic endpoint management solution.