Should you’re on the lookout for a approach to circumvent Microsoft’s Home windows 11 system necessities, do not go clicking on any previous web site and downloading an installer. To be anticipated, nefarious actors have already loaded up a pretend Home windows 11 installer onto the net and are putting in malware onto customers’ PCs whereas they try to put in the most recent OS.
A web site going by the title windows-upgraded[dot]com was not too long ago analysed by HP’s threat research team, and so they discovered it making an attempt to distribute RedLine Stealer, a bit of malware that units out to steal person data.
The web site, as pictured by HP beneath (I do not suggest you go to it personally), appears like a mirror picture of Microsoft’s personal Home windows 11 installer web site. Nevertheless, beneath the “Get Home windows 11” banner, the button labelled “Obtain Now” results in a dodgy installer hosted on Discord’s content material supply community (CDN).
The installer is named Windows11InstallationAssistant.zip, and it is just one.5MB massive compressed. It accommodates six Home windows DLLs, an XML file, and a transportable executable file. As soon as uncompressed, the file weighs in at 753MB, and therein lies some clue as to its nefarious intent.
“For the reason that compressed dimension of the zip file was just one.5 MB, this implies it has a formidable compression ratio of 99.8%,” HP researchers say. “That is far bigger than the common zip compression ratio for executables of 47%. To realize such a excessive compression ratio, the executable possible accommodates padding that’s extraordinarily compressible. Considered in a hex editor, this padding is well noticed.”
The padding appears like a bunch of 0x30 byte codes and has no impression on the operation of the file. This may occasionally even be there as a approach to circumvent anti-virus scans, HP suggests, as these might not try and fully scan a file of this dimension.
When the file is run, it goes by the motions of downloading and working the RedLine Stealer malware, which makes an attempt to steal person data, passwords, bank card data, and cryptocurrency wallets. It is going to then try and cellphone residence to an IP handle and ship this data to the attackers.
As HP notes, that is additionally much like one other assault that it analysed in 2021. Attackers used the same spoof method to arrange a Discord webpage with a intently associated however misspelt title to trick customers into downloading a harmful installer posing as Discord’s personal. HP notes that this assault used the identical DNS servers, malware, and area registrar because the Home windows 11 one.
As for Home windows 11, there are methods to obtain it securely. Microsoft is releasing the brand new OS, launched in October, to suitable PCs progressively. That mentioned, not each PC shall be supplied Home windows 11, and that is right down to security-based system necessities that the OS relies upon upon.
Should you’re in that boat, with an older CPU that is not suitable with Home windows 11, we don’t suggest looking out the net for an ISO or installer. As an alternative, you could possibly set up the OS by way of Microsoft’s official downloads page, utilizing a Home windows 11 ISO or set up media. There are some issues right here, although. Microsoft will not assure that you’re going to obtain essential updates this manner, and it’s possible you’ll be left with an insecure construct of your OS.
For safety, then, the perfect factor to do is sit tight till you improve your {hardware} down the road. Home windows 11 is not a lot of a departure from Home windows 10, actually, so you are not lacking out on an entire lot however rounded corners. Even Home windows 11’s greatest upcoming gaming characteristic, DirectStorage, is about to reach on Home windows 10.
Discord as a goal and host for malware
Safety firm Sophos warned final 12 months that Discord has become a hub for malware. At the moment, it recorded 4% of TLS-protected malware downloads got here from Discord, because it gives a approach for unhealthy actors to add recordsdata and share them with others. On account of this platform’s reputation, it is anticipated that players could also be prime targets for malware on the service.
Discord just isn’t alone in its skill to host unhealthy recordsdata. Any user-generated platform is open to exploitation. It simply so occurs that Discord, the favored VoIP service, has grown a lot in reputation and scope that it has been each the goal of attackers seeking to exploit its thousands and thousands of customers and people seeking to exploit its CDN for file internet hosting of malware.
Just lately safety researchers at Microsoft-owned RiskIQ outlined how Discord’s CDN can, and has, been used to host various types of malware.
It stories {that a} frequent approach for attackers to get mentioned malware onto customers’ computer systems is by linking out to a Discord area with a hyperlink within the format: hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}. This URL may then be linked to by an attacker to redirect a person from one other, extra legitimate-looking URL to a Discord server internet hosting dodgy recordsdata.
The most typical sort of malware found by RiskIQ was a trojan, supposed to spoof the looks of an actual app or obtain. The aforementioned Home windows 11 installer obtain, for instance. Nevertheless, it additionally discovered proof of 27 distinctive malware varieties hosted on Discord’s CDN.
It is not simply direct malware that is a menace, both, scammers not too long ago took maintain of an NFT services’ vanity URL on Discord and redirected it to their very own rip-off Discord server. The problem right here being CryptoBatz merely modified their discord URL with out adjusting all earlier messaging on social media to mirror the change, and the scammers then took the previous URL as their very own. The scammers might have made as a lot as $40,000 from this mess alone.
Safety researchers are doing their half to report these points to Discord, and Discord is making an attempt to stamp out malware as greatest it may well, however the place one door closes one other opens. Since that is been true because the daybreak of computer systems, we suggest sticking to age-old recommendation and staying cautious about unofficial web sites and downloads. Some warning concerning hyperlinks in Discord servers now seems advisable, too.
