Malware that looks as the Windows 11 installer and is hosted on Discord

  • Home
  • News
  • Malware that looks as the Windows 11 installer and is hosted on Discord
Windows 11 installer

Instead of visiting any random website and downloading an installation, if you’re seeking for a technique to get around Microsoft’s Windows 11 system requirements, look no further than here. As was to be expected, scammers have already uploaded a fake Windows 11 installer to the internet, where they are infecting customers’ computers with malware while they attempt to install the latest operating system.

HP’s threat research team recently investigated a website with the domain name windows-upgraded[dot]com and discovered that it was attempting to distribute RedLine Stealer, a piece of malware with the goal of stealing user information.

According to the screenshot provided by HP (which I do not recommend you visit yourself), the website appears to be a mirror replica of Microsoft’s own Windows 11 installer website. In contrast, beneath the “Get Windows 11” banner, the “Download Now” button directs users to a malware installer stored on Discord’s content delivery network (CDN).

The installer is called Windows11InstallationAssistant.zip, and it’s only 1.5MB in size when compressed. The installer is available for download here. It consists of six Windows dynamic link libraries (DLLs), an XML file, and a portable executable file. Once uncompressed, the file has a size of 753MB, which may provide some insight into its bad intentions.

Because the zip file was just 1.5 MB in size when compressed, it has an excellent compression ratio of 99.8 percent, according to HP’s study team. “This is a significant increase over the average zip compression ratio for executables, which is 47 percent on average. In order to achieve such a high compression ratio, it is likely that the executable contains padding that is particularly compressible in nature. It’s easy to see this padding when looking at it in a code editor.”

In appearance, the padding appears as a collection of 0x30 byte codes, and it has no effect on the functioning of the file. If you have a large file, HP recommended that you use this feature to avoid being scanned by anti-virus software, which may not attempt to scan the entire file due to its size.

Upon execution of the file, the malware known as RedLine Stealer is downloaded and executed, with the goal of stealing user information, passwords, credit card data, and cryptocurrency wallets. Once this is accomplished, it will attempt to phone home to a certain IP address and provide this information to the attackers.

Malware that looks as the Windows 11 installer
Malware that looks as the Windows 11 installer and is hosted on Discord

According to HP, this threat is similarly comparable to another that the company investigated in 2021. Attackers utilized a similar spoof approach to set up a Discord webpage with a name that was closely comparable but mispelled in order to deceive users into downloading a potentially harmful installer that looked and behaved like it came from Discord. HP reports that the DNS servers, malware, and domain registrar used in this attack were the same as those used in the Windows 11 attack.

When it comes to Windows 11, there are several methods for downloading it safely. Microsoft is rolling out the new operating system, which was announced in October, to compatible PCs in stages. Having said that, not every PC will be able to run Windows 11, which is due to the operating system’s need on security-based system requirements.

For those who find themselves in this situation, with an older CPU that is not compatible with Windows 11, we do not recommend scouring the internet for a Windows 11 ISO or installer file. Alternative options include downloading and installing Windows 11 through Microsoft’s official download website, or utilizing a Windows 11 ISO or installation media. However, there are some reservations about this. As a result, Microsoft cannot ensure that you will receive crucial security upgrades in this manner, and you may be left with an insecure version of your operating system.

Therefore, the best course of action in terms of security is to wait until you can change your gear in the future. Windows 11 isn’t much of a shift from Windows 10, so you won’t be missing out on much other than rounded corners if you upgrade. Even DirectStorage, one of the most predicted gaming features in Windows 11, is expected to appear on Windows 10.

Malware that looks as the Windows 11 installer and is hosted on Discord
Malware that looks as the Windows 11 installer and is hosted on Discord

As a host and victim of malware, Discord – Windows 11 installer

Last year, the security company Sophos warned that Discord had become a breeding ground for viruses. According to the company’s data at the time, 4 percent of TLS-protected malware downloads originated from Discord, which provides a platform for bad actors to submit files and share them with others. Because of the popularity of this platform, it is anticipated that gamers would be excellent targets for malware on the service.

Discord is not the only platform capable of hosting malicious files. Any platform that has been created by users is vulnerable to exploitation. Unfortunately, Discord, the famous VoIP service, has expanded in popularity and scope to the point that it has become a target for both attackers trying to abuse its millions of users and those looking to exploit its content delivery network (CDN) for the purpose of hosting malware files.

Recently, security experts at RiskIQ, which is owned by Microsoft, detailed how Discord’s content delivery network (CDN) can and has been used to host numerous sorts of malware.

hxxps:/cdn.discordapp[.]com/attachments/ChannelID/AttachmentID/filename is a frequent approach for attackers to get malware onto customers’ systems, according to the research. Once this URL has been created, it can be used by an attacker to redirect a user from another, more legitimate-looking URL to a Discord server that contains malicious files.

One of the most common types of malware detected by RiskIQ was a malware, which was designed to scam a legitimate application or download. Take, for example, the previously mentioned Windows 11 installer download. However, it discovered evidence of 27 distinct malware kinds housed on Discord’s content delivery network (CDN).

Furthermore, scammers recently gained control of an NFT service’s vanity URL on Discord and redirected it to their own fake Discord server, posing as the NFT service itself. The problem here is that CryptoBatz simply changed their discord URL without updating all previous social media messaging to reflect the change, and the scammers then claimed the old URL as their own. It’s possible that the scammers made as much as $40,000 from just one incident.

Security researchers do their bit by reporting these concerns to Discord, and Discord is doing everything it can to combat malware as effectively as possible. However, where one door closes, another opens. Because this has been true since the invention of the computer, we recommend following established practices and exercising caution when dealing with unauthorised websites and downloads. It now appears that some caution should be exercised while using links in Discord servers.

SHARE THIS POST

Scroll to Top