Malware analysis
Clipper Malware installed through pirated Windows 10 ISOs. Hackers are disseminating Windows 10 using torrents that conceal bitcoin hijackers in the EFI (Extensible Firmware Interface) partition.
The bootloader and other necessary data are located on the EFI partition. A tiny system partition that runs before the operating system does. It is necessary for UEFI-powered computers. which have taken the place of the outdated BIOS.
As in the case of Black Lotus. Attackers have launched malware from outside. Then OS’s and its defense systems using modified EFI partitions. However, the counterfeit Windows 10 ISOs found by Dr. Web researchers just employ EFI as a secure location to store the clipper components. Since the EFI sector is not frequently scanned by antivirus software, malware may be able to evade detection.
Dr web Reoprt
Dr. Web’s report explains that the malicious Windows 10 builds hide the following apps in the system directory:
- \Windows\Installer\iscsicli.exe (dropper)
- \Windows\Installer\recovery.exe (injector)
- \Windows\Installer\kd_08_5e78.dll (clipper)
A scheduled job is built to execute a dropper called iscsicli.exe, which mounts the EFI partition as the “M:” disk, when the operating system is installed using the ISO. The dropper transfers recovery.exe and kd_08_5e78.dll to the C: disk after it has been mounted.
Following the execution of Recovery.exe, the legitimate%WINDIR%System32Lsaiso.exe system process is hollowed in order to inject the clipper malware DLL.
The clipper will examine if the C:WindowsINFscunown.inf file is there or whether any analysis tools, like as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc., are currently operating after being injected. If they are discovered, the clipper won’t use other crypto wallet addresses to hide from security analysts.
The clipper will scan the system clipboard for bitcoin wallet addresses. once it is up and running. If any are discovered, they are randomly changed with addresses. Due to the ability to reroute payments to their accounts. The threat actors have amassed at least $19,000 worth of cryptocurrencies on the wallet. The researchers were able to locate, according to Dr. Web.
Infected Isos
Although Dr. Web cautions that there may be more out there. these addresses were taken from the following Windows ISO that was distributed via pirate sites:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
Pirated OS downloads should be avoided because they can be dangerous.
