Pirated Windows 10 ISOs Conceal Clipper Malware

Cybercriminals are utilizing torrents to distribute pirated versions of Windows 10 that hide cryptocurrency hijackers within the EFI (Extensible Firmware Interface) partitions. This technique allows them to evade detection by security measures.

The EFI Partition: A Stealthy Storage Space

The EFI partition, a small system partition responsible for executing the bootloader and related files before the operating system’s startup, has become the latest target for cybercriminals seeking to distribute malware. This partition plays a crucial role in UEFI-powered systems, which have replaced outdated BIOS.

In previous instances, hackers manipulated modified EFI partitions to activate malware independently of the operating system and its defense tools. However, researchers at Dr. Web have uncovered a new tactic employed by cybercriminals distributing pirated Windows 10 ISOs. Instead of utilizing EFI partitions to execute malware, these malicious ISOs use the EFI partition as a secure storage space for clipper malware components.

Evasion of Detection: Exploiting the Unscanned EFI Partition

One of the primary advantages for cybercriminals employing this method is that standard antivirus tools typically do not scan the EFI partition. Consequently, the malware hidden within can potentially bypass detection. Dr. Web’s report provides insight into the functioning of these malicious Windows 10 builds, which discreetly place certain apps within the system directory:

1. \Windows\Installer\iscsicli.exe (dropper)

2. \Windows\Installer\recovery.exe (injector)

3. \Windows\Installer\kd_08_5e78.dll (clipper)

The Installation Process: Exploiting Vulnerabilities

When the compromised ISO installs the operating system, it creates a scheduled task to launch a dropper named iscsicli.exe. This dropper mounts the EFI partition as the “M:” drive. Once mounted, it copies two other files, recovery.exe, and kd_08_5e78.dll, to the C:\ drive.

Subsequently, the injector, recovery.exe, is executed. It employs process hollowing to inject the clipper malware DLL into the legitimate %WINDIR%\System32\Lsaiso.exe system process.

Anti-Analysis Measures: Evading Security Researchers

After injection, the clipper malware checks for the presence of the file C:\Windows\INF\scunown.inf and various analysis tools such as Process Explorer, Task Manager, Process Monitor, and ProcessHacker. If any of these are detected, the clipper refrains from replacing crypto wallet addresses, ensuring that its activities go unnoticed by security researchers.

Cryptojacking in Action: Diverting Payments

Once the clipper malware is active, it monitors the system clipboard for cryptocurrency wallet addresses. Whenever it identifies such addresses, it swiftly replaces them with addresses controlled by the attackers.

This allows threat actors to redirect cryptocurrency payments to their accounts. Dr. Web states these malicious activities have generated at least $19,000 worth of cryptocurrency across the identified wallet addresses.

Compromised ISOs and Widespread Threats to Windows 10

Dr. Web’s investigation revealed that the following Windows ISO files, shared on torrent sites, contained the compromised Windows 10 builds:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

The Dangers of Pirated Windows 10 Operating System Downloads

It is crucial to avoid downloading and using pirated operating system builds as they pose significant risks. Unofficial builds, created by unknown sources, can easily incorporate persistent malware, as evidenced by the clipper malware hidden within these compromised Windows 10 ISOs.

Cybercriminals behind these illicit activities take advantage of the trust users place in pirated software to gain access to their systems. By distributing infected ISO files through torrents, they prey on unsuspecting individuals seeking to acquire operating systems without paying for legitimate licenses.

Protecting Yourself from Malicious Software of Pirated Windows 10

To ensure your digital safety and protect yourself from the risks associated with pirated software, it is essential to adhere to the following measures:

1. Purchase legitimate software: Invest in genuine software licenses from trusted vendors and authorized sources. This guarantees that you receive secure, up-to-date software without hidden malware.

2. Exercise caution when downloading: Be wary of downloading software from unverified sources or torrent sites, including operating systems. Stick to reputable platforms and official websites to minimize the risk of encountering malicious software.

3. Keep your software up to date: Regularly updating your operating system and security software to benefit from the latest security patches and protection against emerging threats.

4. Utilize robust security software: Install reliable antivirus and anti-malware software on your devices. These tools help detect and eliminate malware, providing additional protection against potential threats.

5. Practice safe browsing habits: Be cautious when clicking links, downloading files, or opening email attachments from unknown or suspicious sources. Exercise discretion to avoid inadvertently installing malware on your system.