A malicious Windows 11 installation has been discovered attempting to expose personal data to hackers. Criminals have posted a phony Windows 11 installer on the Internet and are infecting people’s computers with malware when they try to install the latest operating system.
The website looks like a mirror version of Microsoft’s own Windows 11 installer website. However, the “Download Now” button beneath the “Get Windows 11” banner links to a rogue installation housed on Discord’s content delivery network (CDN).
Windows11InstallationAssistant.zip is the installer’s name, and it’s only 1.5MB compressed. Six Windows DLLs, an XML file, and a portable executable file are included. The file is 753MB when uncompressed, which gives some insight into its malicious goal.
So, if you want to go around Microsoft’s Windows 11 system requirements, don’t just go to any random website and download an installer.
HP Researchers had the following to say:
Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible. Viewed in a hex editor, this padding is easily spotted.
Devious malware hosted on Discord pretends to be Windows 11 installer https://t.co/PFi6BdVsK3 pic.twitter.com/SLTjJ4IBen
— @videogames (@VideoGames) February 14, 2022
The padding appears as a series of 0x30 byte codes and does not affect the file’s execution. This could also be a technique to get around anti-virus scans, which may not attempt to check a file of this size completely, according to HP.
When you run the file, it attempts to steal user information, passwords, credit card information, and cryptocurrency wallets by downloading and running the RedLine Stealer virus. It will then attempt to call home to an IP address, which it will subsequently send to the attackers.
As HP points out, this assault is similar to one it investigated in 2021. Attackers used a similar spoof tactic to deceive users into downloading a malicious installer posing as Discord’s own by creating a Discord webpage with a closely related but misspelled name. This attack used the same DNS servers, malware, and domain registrar as the Windows 11 hack, according to HP.
When it comes to Windows 11, there are a few options for downloading it safely. Microsoft is progressively rolling out the new operating system, which was released in October, to compatible PCs. However, not every PC will be able to run Windows 11, which is due to the OS’s security-related system requirements.
If you’re in that situation and your CPU isn’t compatible with Windows 11, we don’t advocate looking for an ISO or installer on the internet. Instead, you might be able to install Windows 11 using a Windows 11 ISO or installation media from Microsoft’s official downloads page. However, there are certain issues. Microsoft won’t promise that you’ll get important upgrades this way, and you can end up with an unsecured version of your operating system.
The best course of action in terms of security is to wait till your hardware is upgraded. Windows 11 isn’t that different from Windows 10, so you’re not missing out on much other than rounded corners. DirectStorage, Windows 11’s most significant anticipated gaming feature, will also be available on Windows 10.
Last year, security firm Sophos warned that Discord had become a virus hotspot. Discord, which allows bad actors to upload files and distribute them with others, was responsible for 4% of TLS-protected malware downloads at the time. Because of the platform’s prominence, it’s likely that gamers will be good targets for malware.
Discord isn’t the only platform that can host malicious files. Any platform created by users is vulnerable to exploitation. Discord, the popular VoIP service, has expanded in popularity and scope to the point that it’s been targeted by both attackers trying to abuse its millions of users and those looking to exploit its CDN for malware file hosting.
Discord’s CDN can and has been exploited to host numerous sorts of malware, according to security researchers at Microsoft-owned RiskIQ.
It claims that going out to a Discord domain with a link in the format: hxxps:/cdn.discordapp[.]com/attachments/ChannelID/AttachmentID/filename is a typical approach for attackers to get malware onto users’ machines. An attacker may then use this URL to redirect a user from a more legitimate-looking URL to a Discord server holding malicious files.
A trojan was the most prevalent sort of malware detected by RiskIQ, and it was designed to imitate the appearance of a legitimate app or download. Consider the aforementioned Windows 11 installer download. It did, however, discover evidence of 27 different malware kinds housed on Discord’s CDN.
Scammers recently grabbed control of an NFT provider’s vanity URL on Discord and moved it to their own scam Discord server, posing as an NFT service. The problem is that CryptoBatz just changed their discord URL without updating all previous social media postings, and the scammers then used the old URL as their own. The con artists may have profited as much as $40,000 from this sham.
Security experts are reporting these concerns to Discord, and Discord is doing everything it can to combat malware, but where one door closes, another opens. Because this has been the case since the advent of computers, we advise adhering to tried-and-true counsel and being wary of unapproved websites and downloads. It now appears that some caution should be exercised while using links in Discord servers.
