A dodgy Windows 11 installer has been making the rounds on Discord. Unfortunately for those Discord users who tried to get Microsoft’s new OS onto their computers, the Windows 11 installer turned out to be malware. It’s annoyingly good timing on the attacker’s part, as many are now taking the dive into Microsoft’s latest and greatest OS which released last October.
The attackers made a website that, on the surface, seems like the legitimate Windows 11 download page. It’s complete with the usual things you’d expect to see on the regular site. But, HP’s threat research team analyzed the site and discovered it was being used to distribute RedLine Stealer. This is malware that attempts to steal a user’s personal information, passwords, and more.
Malware disguised as a Windows 11 installer
The name of the installer is “Windows11InstallationAssistant.zip,” and it’s only 1.5MB in size when compressed. The file itself was hosted on Discord’s content delivery network. When unpacked, the folder holds several DLL files alongside the executable file, which is the real problem. The executable is 753 MB in size, and as HP’s threat research team pointed out, is one of the most alarming things. The compression ratio for the file is 99.8%, which is incredibly high. Suspiciously so, since the average compression ratio for zipped executables is 47%. The results indicate that the malicious executable “likely contains padding that is extremely compressible.”
(Image credit: HP Wolf Security).
According to HP’s threat research team, the domain for the malicious website was registered on January 27. This was the day after the final phase of the Windows 11 upgrade was announced, which was strange timing indeed. The newness of the domain’s registration was one of the major tip-offs that this site was illegitimate. But, due to the timing of its appearance, it managed to lure some users in.
Discord tends to be a place where a lot of illegitimate files are shared. This is mainly due to the VoIP service’s popularity and how easy it is to share and download files. It isn’t inherently Discord’s fault as a platform, and it would be hard to police this sort of thing without affecting every user in a potentially negative way. Unfortunately, this double-edged sword makes it an easy target for attackers intent on stealing user data.
The fake Windows 11 installer that harbored malware makes for a good lesson in staying safe on the internet, even within the confines of Discord’s network. The bottom line here is to stay away from random download sources on the internet. It’s always going to be a risk, and it’s one that’s never worth taking. Wait for Windows 11 to support your PC officially and be sure to only use Microsoft’s official means of getting it.
