Malware disguised as Windows 11 installer making rounds on Discord

pcinvasion.com:

A dodgy Windows 11 installer has been making the rounds on Discord. Unfortunately for those Discord users who tried to get Microsoft’s new OS onto their computers, the Windows 11 installer turned out to be malware. It’s annoyingly good timing on the attacker’s part, as many are now taking the dive into Microsoft’s latest and greatest OS which released last October.

The attackers made a website that, on the surface, seems like the legitimate Windows 11 download page. It’s complete with the usual things you’d expect to see on the regular site. But, HP’s threat research team analyzed the site and discovered it was being used to distribute RedLine Stealer. This is malware that attempts to steal a user’s personal information, passwords, and more.

The name of the installer is “Windows11InstallationAssistant.zip,” and it’s only 1.5MB in size when compressed. The file itself was hosted on Discord’s content delivery network. When unpacked, the folder holds several DLL files alongside the executable file, which is the real problem. The executable is 753 MB in size, and as HP’s threat research team pointed out, is one of the most alarming things. The compression ratio for the file is 99.8%, which is incredibly high. Suspiciously so, since the average compression ratio for zipped executables is 47%. The results indicate that the malicious executable “likely contains padding that is extremely compressible.”

(Image credit: HP Wolf Security).

According to HP’s threat research team, the domain for the malicious website was registered on January 27. This was the day after the final phase of the Windows 11 upgrade was announced, which was strange timing indeed. The newness of the domain’s registration was one of the major tip-offs that