Redline Stealer Malware preloaded on some Mini-PC's (NUC-likes) sold on Amazon & AliExpress

scrimshaw on 09/02/2024 - 01:24
Last edited 09/02/2024 - 01:47

Was watching some Youtube videos when the algorithm decided to suggest this one to me — it's a 13 minute video from a Youtuber who recently discovered that a certain type of malware is being preloaded on prebuilt systems (typically Chinese-brand small form factor desktops), and then shipped to unsuspecting buyers.

The malware can be found living in a hidden directory. On mine, I found it in a system folder labelled C:\Recovery\OEM\OsVer

When opening the folder, Microsoft Defender immediately scanned the contents and quarantined the culprit. Say what you want about MS Defender, but it does detect stuff sometimes.

So what does the Malware actually do? According to the video and this article, it is essentially spyware and is able to exfiltrate a bunch of your system data such as what programs you run, know what antivirus software you're using, capture screenshots, scan your PC for crypto wallets (so that it can drain them later) and most importantly, rummage through your Chrome User profile so that it can decrypt / crack the passwords that are saved in your Chrome profile.

If you happen to have lots of passwords saved in Chrome, you're going to have to change all of them.

Don't spend time debugging the machine and cleaning out the malware with removal tools. It's generally best practice (more time efficient) to simply reimage your computer, as opposed to just deleting the affected folder and assuming that it's completely clean. Make yourself a Win11 disk image and opt to clean install instead of keeping the user data. Or if you're using the machine as a server, consider making the switch to GNU/Linux

If you initially had suspicions that these PC's came with a 'flavoured' version of Windows, then you are right. They modified it to allow the user to start using it straight away with a Local Microsoft account as opposed to a cloud-connected one, which is a workaround that had been eliminated by Microsoft around last year. If your machine was setup the same way and didn't require you to login to an Online account, you might need to suspect that it has been tampered with.

Computing Computer KAMRUI Mini PC

Comments

  • shxhshzhz on 09/02/2024 - 01:30
    +1

    which brand was your one?

  • apsilon on 09/02/2024 - 06:00
    +3

    It's well known you should never use the preinstalled image. There's a history of this sort of thing even coming from top tier vendors not to mention even if it's not malware there's usually a bunch of preloaded rubbish you don't want.

  • Sye on 09/02/2024 - 06:14
    +15

    I just let the nice man from Microsoft who called me fix it for $500 payable with iTunes gift card.

  • Loot N Plunder on 09/02/2024 - 07:12

    I saw this yesterday
    https://www.youtube.com/watch?v=Pi0_wzdz7aY

  • mapax on 09/02/2024 - 07:25
    +8

    So I guess the “conspiracy” types that get negged for mentioning malware in mini-pc deals weren’t exactly wrong.

    • Sinnerator on 09/02/2024 - 08:24
      +14

      I laughed when I first heard this

      Q. what's the difference between a conspiracy and a fact?
      A. about 6 months

  • RedHab on 09/02/2024 - 07:45

    Good writeup, thanks for the info. It's always a good idea to wipe and re-install a fresh copy of Windows, then. You should be able to download and install a fresh copy from Microsoft's website.

    Try and flash a clean BIOS as well.

    it is essentially spyware and is able to exfiltrate a bunch of your system data such as what programs you run, know what antivirus software you're using, capture screenshots, scan your PC for crypto wallets (so that it can drain them later) and most importantly, rummage through your Chrome

    However, note that Windows 10 and 11 do all the same bad things that the malware does in your list above, except the crypto wallet scanning.

    • OZBargainer in SA on 16/02/2024 - 09:09

      Can you trust that the downloaded BIOS/UEFI is also clean?

  • shaybisc on 09/02/2024 - 08:36

    What kind of numbskull could this snare, since it is pretty well mandatory to have Defender or something probably better running?

    • OZBargainer in SA on 16/02/2024 - 09:10

      If they've figured out how to neuter Defender then it's no protection.

  • lint on 09/02/2024 - 11:49

    I'm curious why this malware isn't caught by Windows Defender at runtime when it does get caught by automated scan upon opening the folder it resides in? I thought there would be a more rigorous scan performed at runtime.

    Did they modify Windows to put the malware on Defender's whitelist?

  • USER DC on 09/02/2024 - 13:18
    -1

    Thank you for sharing

    just changed my microsoft password,

    and BTW never ever used chrome auto save passwords, always used a password manager (like bitwarden, lastpass, 1Password, Dashlane, etc. etc.)

    Luckily I only really used it as a server, not a everyday use PC, hence less passwords used there

    Any clue how amazon is gonna react to this ?? surely amazon can penalise the known retailers for selling malware and attempting to steal their customer's sensitive details

    BTW if anyone is still on their windows ISO, then either get rid of that windows all together !! or use autorun software to detect WTF are programs that run automatically etc.
    https://www.pcrisk.com/removal-guides/21072-mini-redline-inf…

  • ldd-mn on 09/02/2024 - 13:43
    +4

    You should always reinstall the OS on any PC from any OEM.

  • Mechz on 09/02/2024 - 15:59
    +1

    I would always boot with an Ubuntu USB into trial mode and delete all partitions on the disk.

    Or make yourself a ShredOS USB and wipe the disk.

    Either way, properly wipe the disk and reinstall whatever you want.

  • internet-stranger on 10/02/2024 - 14:39
    +2

    You should probably comment this on the recent deals, so anyone who is subscribed will get notified.

  • thebiggestfudge on 16/02/2024 - 11:42

    How do you retrieve the windows product key? Don't you have to use CMD or view the registry in the oem system?

  • jollster101 on 16/02/2024 - 12:30
    -1

    I have just ordered a Kamrui N100 from the deal that was posted yesterday. In advance of it arriving I have downloaded Ghost Spectre which I will use as the OS.

    I never knew about that OS but boy is it lean and cuts out so much of MS's bloat. Highly recommended if you like to tinker and want something that makes your PC even more efficient.

    I am sure there are cons to the OS but for my use case as a mini gaming PC in my Sharpin virtual pinball table, i think it will be awesome. (replacing an old android box that the sharpin came with originally).

  • IamAI on 19/02/2024 - 15:12

    as above, How do you retrieve the windows product key so we can reinstall Windows on the KAMRUI?

    • scrimshaw on 19/02/2024 - 15:38
      +1

      I don't know if Produkey still works (Microsoft keeps breaking it's functionality with every update) but I did not need to backup my windows key. After wiping the SSD clean and starting a fresh install of Windows, it activated itself once I logged in.

      The OEM license key is tied to the hardware, and is embedded into the Bios. and should automatically activate once connected to the internet, it is not entirely necessary to extract or backup the key.

Login or Join to leave a comment
Login Join