.jpg?width=1200&height=630&fit=crop&enable=upscale&auto=webp)
Malicious malware hosted on Discord masquerading as Windows 11 installer
If you’re looking for a way to circumvent Microsoft’s Windows 11 system requirements, don’t hit any old website and download the installer. Unsurprisingly, criminals have loaded a fake Windows 11 installer on the web and installed malware onto users’ PCs while they were trying to install the latest operating system.
A website called windows-upgraded[dot]com was recently analyzed HP’s Threat Research Teamthey discovered that it was trying to distribute RedLine Stealer, a malware designed to steal user information.
The website, pictured below (which I don’t recommend visiting in person), looks like a mirror of Microsoft’s own Windows 11 installer website. However, beneath the “Get Windows 11” banner, a button labeled “Download Now” leads to a dodgy installer hosted on Discord’s Content Delivery Network (CDN).
The installer is called Windows11InstallationAssistant.zip and is only 1.5MB after compression. It contains six Windows DLLs, an XML file, and a portable executable. When unzipped, the file size was 753MB, which contained some clues about its evil intentions.
“Since the compressed size of the zip file is only 1.5 MB, this means it has an impressive 99.8 percent compression ratio,” said the HP researchers. “This is far greater than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable may contain extremely compressible padding. Looking in a hex editor, this is easy to spot. kind of filling.”
The padding looks like a bunch of 0x30 bytecodes and has no effect on the operation of the file. It may also be a way to circumvent antivirus scans, as these may not attempt to fully scan files of this size, HP suggests.
When the file runs, it downloads and runs the RedLine Stealer malware, which attempts to steal user information, passwords, credit card information, and cryptocurrency wallets. It will then try to call an IP address and send this information to the attacker.
As HP points out, this is also similar to another attack it analyzed in 2021. Attackers used a similar deception technique to set up a Discord web page with a closely related but misspelled name to trick users into downloading a dangerous installer posing as Discord’s own. HP noted that the attack used the same DNS servers, malware and domain registrar as Windows 11.
As for Windows 11, there are ways to download it safely. Microsoft is gradually releasing its new operating system to compatible PCs in October. That said, not every PC will offer Windows 11, depending on the security-based system requirements the OS relies on.
If you’re in this boat, with an older CPU that isn’t compatible with Windows 11, we don’t recommend searching the web for ISOs or installers. Instead, you can install the operating system from Microsoft’s official download page using the Windows 11 ISO or installation media. However, there are some concerns here. Microsoft does not guarantee that you will receive critical updates in this way, and you may be left with an unsafe version of the operating system.
Well, to be on the safe side, your best bet is to sit back until you upgrade your hardware. In fact, Windows 11 isn’t that much different from Windows 10, so you won’t miss a lot, but rounded corners. Even Windows 11’s upcoming best gaming feature, DirectStorage, is coming to Windows 10.
Discord as a target and host for malware
Security firm Sophos warned last year Discord has become a hub for malwareAt the time, it recorded that 4% of TLS-protected malware downloads came from Discord because it gave bad actors a way to upload files and share them with others. Due to the platform’s popularity, gamers are expected to be the main targets of malware on the service.
Discord isn’t the only company that can host bad files. Any user-generated platform can be leveraged. As it happens, the popularity and reach of the popular VoIP service Discord has grown so much that it’s a target for both attackers looking to take advantage of its millions of users and its CDN to host malware files Target.
Recently, security researchers at Microsoft-owned RiskIQ outlined how Discord’s CDN can and has been used for Hosts various types of malware.
It reports that a common method for attackers to spread said malware onto users’ computers is by linking to a Discord domain in the following format: hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}. An attacker could then link to this URL to redirect users from another, more legitimate-looking URL, to a Discord server hosting unreliable files.
The most common type of malware found by RiskIQ is Trojans, designed to trick the appearance or download of real applications. For example, the aforementioned Windows 11 installer download. However, it also found evidence of 27 unique malware types hosted on Discord’s CDN.
It’s not just outright malware that is threatening, scammers have recently taken vanity URLs for NFT services on Discord and redirected them to their own scam Discord servers. The problem here is that CryptoBatz just changed their discord URL without tweaking all Posted on social media to reflect the change, scammers then took the old URL as their own. From this mess alone, the scammers could have made as much as $40,000.
Security researchers are doing their part to report these issues to Discord, and while Discord is trying to eliminate the malware as best it can, one door is closing another. This has been the case since the advent of computers, and we recommend sticking to age-old advice and being wary of unofficial sites and downloads. Some caveats about links in Discord servers also seem to be suggested now.