News

Cryptocurrency-stealing malware found in pirated Windows assemblies that penetrates the EFI partition

Security Parrot Editorial Team

Doctor Web Discovers Stealer Trojan in Pirated Windows 10 Builds

Doctor Web recently announced the discovery of a stealer Trojan in pirated builds of Windows 10, which the attackers distributed via an unnamed torrent tracker. The malware, named Trojan.Clipper.231, replaces the addresses of crypto wallets in the clipboard with addresses belonging to the attackers. At the moment, with the help of this malware, hackers managed to steal $19,000 worth of cryptocurrency.

Client Reports Suspicion of Infection

At the end of May 2023, a client contacted the company with suspicion of infecting a computer running Windows 10. The analysis carried out by specialists confirmed the presence of Trojans in the system — the Trojan.Clipper.231 stealer, as well as Trojan.MulDrop22 malicious applications. 7578 and Trojan.Inject4.57873 that launched it.

Pirated Windows 10 Builds Contain Malware

It turned out that the target OS was an unofficial assembly, and malware was built into it from the very beginning. Further investigation revealed several such infected builds of Windows:
Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik EN.iso;
Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik EN.iso;
Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso;
Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso;
Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso.
All of them are available for download on an unnamed torrent tracker, but the researchers do not exclude that the attackers use other sites to distribute malicious images.

Malware Located in System Directory

The malware in these assemblies is located in the system directory:
\Windows\Installer\iscsicli.exe (Trojan.MulDrop22.7578)
\Windows\Installer\recovery.exe (Trojan.Inject4.57873)
\Windows\Installer\kd_08_5e78.dll (Trojan.Clipper.231)
Stealer initialization occurs in several stages. At the first stage, Trojan.MulDrop22.7578 is launched via the system task scheduler: %SystemDrive%\Windows\Installer\iscsicli.exe .
The task of the malware is to mount the system EFI partition on a disk M:\, copy the other two components to it, then delete the original Trojan files from the C:\ drive, run Trojan.Inject4.57873 and unmount the EFI partition.
In turn, Trojan.Inject4.57873, using the Process Hollowing technique, injects Trojan.Clipper.231 into the %WINDIR%\\System32\\Lsaiso.exe system process, after which the stealer starts working in its context.
Once in control, Trojan.Clipper.231 starts monitoring the clipboard and replaces the copied crypto wallet addresses with the addresses set by the hackers. However, it is noted that the malware has a number of restrictions. First, it starts to perform substitution only if the system file %WINDIR%\\INF\\scunown.inf is present. Secondly, the Trojan checks for active processes. If it detects the processes of a number of applications that are dangerous for it, then it does not change the addresses of crypto wallets.

Introduction of Malware into EFI Section is Rare

The researchers write that the introduction of malware into the EFI section of computers is still very rare. Therefore, the identification of such malicious programs is a difficult task. Doctor Web experts recommend that users of unofficial Windows assemblies be especially careful and use only reliable sources for downloading software.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?