Pirated editions of Windows 10 have been recently associated with the dissemination of clipper malware, according to a study conducted by Doctor Web. This malware is hidden in EFI partitions, allowing it to bypass standard detection methods.
Insight into Clipper Malware: This specific type of malware has been engineered to expropriate currencies from compromised systems by intercepting or altering data on the Windows clipboard. The data subjected to this manipulation often involves cryptocurrency wallet addresses. In previous cases, such malware camouflaged itself as authentic cryptocurrency applications. Once embedded in the system, the malware could access and, under certain circumstances, alter the data within the Windows Clipboard utility. Case in point, the Laplas variant of clipper malware, exhibits the ability to substitute wallet addresses linked with cryptocurrencies such as Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Tron, among others. The Extensible Firmware Interface (EFI) partition represents a minor portion of the hard drive designated for installing an operating system or essential system utilities. Historically, EFI partitions have been exploited to hide certain malware components. However, it is becoming apparent that these partitions can harbor an entire malware entity. Hurdles in Detection: The majority of antivirus software either does not have the ability to or faces challenges in scanning EFI partitions for potential malware. This evasion technique enables the malware to persist undetected, often until it has already caused significant damage.
According to the report, the malware is concealed within the following applications located in the system directory:
\Windows\Installer\iscsicli.exe (dropper) \Windows\Installer\recovery.exe (injector) \Windows\Installer\kd_08_5e78.dll (clipper)
When a pirated operating system is downloaded, a scheduled task is created to initiate a dropper named iscsicli.exe, which then mounts the EFI partition as the "M:" drive.
Subsequently, the dropper copies the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive. The clipper malware is then injected into the legitimate %WINDIR%\System32\Lsaiso.exe system process via the installed recovery.exe file.
The Hazards of Pirated Software: This incident serves as a reminder of the risks associated with downloading pirated software. To raise public awareness, Dr. Web listed some of the identified malicious torrents, while acknowledging that many more could be circulating.
Highlighted Malicious Torrents:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
Implications of Pirated Windows 10 with Clipper Malware Distribution