Devious Malware Hosted on Discord Pretends to be Windows 11 Installer

[{"selector":"#anim-31dfe3c4-2845-4b3a-bb42-957de5d0ebb5","keyframes":[{"transform":"scale(1)","offset":0},{"transform":"scale(1.05)","offset":0.33},{"transform":"scale(0.995)","offset":0.66},{"transform":"scale(1)","offset":1}],"delay":0,"duration":600,"easing":"ease-in-out","fill":"both","iterations":3}]

A malware hosted on Discord pretends to be a Windows 11 installer.

[{"selector":"#anim-c595d1ee-680d-4167-b2a0-091ed4cf133f","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-7c9bd027-cc1e-42ed-b29f-15a98f2bc22f","keyframes":{"transform":["rotate(-360deg) translate3d(-115.75562%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

An installer has been spotted trying to expose personal information to hackers.

[{"selector":"#anim-1e143764-ffb5-4f65-8b82-2c934285b7b2","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-129c1d97-85fe-4c51-b5b3-badf5654cead","keyframes":{"transform":["rotate(-360deg) translate3d(-115.75562%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Don’t download an installer.

[{"selector":"#anim-81b52b71-81a0-487f-92ca-10cb462cf3eb","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e7c6fbb2-26aa-4f07-a1db-55e435d3671d","keyframes":{"transform":["rotate(-360deg) translate3d(-116.39871%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Many actors have already installed malware while attempting to install the latest OS on their PCs.

[{"selector":"#anim-8def55d6-b2c8-4791-b9d3-88f6557aa7e4","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-cb169911-0e20-49ff-92ec-c3a4aee2759b","keyframes":{"transform":["rotate(-360deg) translate3d(-116.39871%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

They found that windows-upgraded.com is attempting to distribute RedLine Stealer.

[{"selector":"#anim-ae947d60-98a9-4a7c-830a-2443d2670df8","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-12ffe90e-201b-4997-b5e2-be91a5d47a1d","keyframes":{"transform":["rotate(-360deg) translate3d(-116.39871%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

The website looks like a mirror image of Microsoft’s own Windows 11 installer website.

[{"selector":"#anim-7af0d0b6-b32b-4980-a9c0-36199275f49d","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3da78e19-ee76-47e8-9cc1-60ed17dad00b","keyframes":{"transform":["rotate(-360deg) translate3d(-115.43409%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

The button “Download Now” leads to a dodgy installer.

[{"selector":"#anim-22a452d9-539d-4d2b-8af6-50670772bd8a","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-b9130762-3791-4f83-bed0-c9345759a2e7","keyframes":{"transform":["rotate(-360deg) translate3d(-115.75562%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

It is called Windows11InstallationAssistant.zip, it contains six Windows DLLs, an XML file and it’s 1.5MB big compressed.

[{"selector":"#anim-4cca3227-654a-4568-be5b-bb287050bdb8","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c13fac93-06c0-4325-8b46-a2a15adf5d08","keyframes":{"transform":["rotate(-360deg) translate3d(-115.75562%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

The file has a compression ratio of 99.8%.

[{"selector":"#anim-27cc5867-defa-4bc8-8db8-eef798129e20","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8b79f303-58cb-49f4-8d9c-30b7bd0a691f","keyframes":{"transform":["rotate(-360deg) translate3d(-116.39871%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

They said to achieve this ratio, it likely contains padding.

[{"selector":"#anim-90cd45e3-8893-4ef7-819f-e63b2ad21033","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3d2f199f-d83b-4df4-a756-60542b15fd1c","keyframes":{"transform":["rotate(-360deg) translate3d(-116.39871%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

It looks like a bunch of 0x30 byte codes and has no impact on the operation of the file.

[{"selector":"#anim-144d45c8-b390-41d9-8529-c7f8e518021f","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-ecb447c9-5f10-40d1-a1a2-756b6a836717","keyframes":{"transform":["rotate(-360deg) translate3d(-115.75562%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

They also noted that this kind of attack was also analyzed in 2021.

[{"selector":"#anim-1b02cf30-dfc8-4a8c-8e2d-bed45c41241c","keyframes":{"opacity":[0,1]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d42d836f-7509-4f3e-abc6-dbe343243b72","keyframes":{"transform":["rotate(-360deg) translate3d(-115.75562%, 0px, 0) rotate(360deg)","rotate(-360deg) translate3d(0px, 0px, 0) rotate(360deg)"]},"delay":100,"duration":800,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]