Devious malware hosted on Discord pretends to be Windows 11 installer

pcgamer.com:

If you're looking for a way to circumvent Microsoft's Windows 11 system requirements, don't go clicking on any old website and downloading an installer. To be expected, nefarious actors have already loaded up a fake Windows 11 installer onto the web and are installing malware onto users' PCs while they attempt to install the latest OS.

A website going by the name windows-upgraded[dot]com was recently analysed by HP's threat research team, and they found it attempting to distribute RedLine Stealer, a piece of malware that sets out to steal user information.

The website, as pictured by HP below (I don't recommend you visit it personally), looks like a mirror image of Microsoft's own Windows 11 installer website. However, beneath the «Get Windows 11» banner, the button labelled «Download Now» leads to a dodgy installer hosted on Discord's content delivery network (CDN).

The installer is called Windows11InstallationAssistant.zip, and it's only 1.5MB big compressed. It contains six Windows DLLs, an XML file, and a portable executable file. Once uncompressed, the file weighs in at 753MB, and therein lies some clue as to its nefarious intent.

«Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%,» HP researchers say. «This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible. Viewed in a hex editor, this padding is easily spotted.»

The padding looks like a bunch of 0x30 byte codes and has no impact on the operation of the file. This may also be there as a way to circumvent anti-virus scans, HP suggests, as these may not attempt to