Illicit Windows 10 ISOs Harbor Clipper Malware via EFI Partitions
Illicit Windows 10 ISOs Harbor Clipper Malware via EFI Partitions

Image: Bram Van Oost (unsplash)

The illegal distribution of Windows 10 through torrent platforms is the latest venture of cybercriminals who hide cryptocurrency hijackers within the EFI (Extensible Firmware Interface) partition. This clever move makes the malware hard to detect.

The EFI partition, a minor system partition which carries the bootloader and other files that get executed before the OS startup, is integral to systems powered by UEFI, which has replaced the older BIOS.

In the past, malefactors manipulated EFI partitions for the purpose of initiating malware beyond the confines of the operating system and its protection mechanisms, a strategy exemplified by BlackLotus. However, the Windows 10 ISOs in question, discovered by Dr. Web’s research team, merely employ EFI as a sanctuary for clipper components.

The malware potentially evades detection as EFI partitions are not routinely scanned by standard antivirus utilities.

The researchers from Dr. Web provided insights into how these tainted Windows 10 iterations conceal the following applications in the system directory:

  • \Windows\Installer\iscsicli.exe (the dropper)
  • \Windows\Installer\recovery.exe (the injector)
  • \Windows\Installer\kd_08_5e78.dll (the clipper)

The moment the OS is installed via the ISO, a task is scheduled to trigger a dropper dubbed iscsicli.exe. This dropper mounts the EFI partition as the “M:” drive and subsequently relocates the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive.

Following this, the injector, recovery.exe, is activated and it infuses the clipper malware DLL into the bona fide %WINDIR%\System32\Lsaiso.exe system process via a technique called process hollowing.

Once injected, the clipper probes for the existence of the C:\Windows\INF\scunown.inf file or running analysis tools such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc. In the event of detection, the clipper refrains from replacing crypto wallet addresses to prevent its discovery by security experts.

Once the clipper starts operating, it scrutinizes the system clipboard for cryptocurrency wallet addresses, which if detected, are promptly replaced with addresses controlled by the attacker.

This tactic enables threat actors to misdirect payments into their accounts. According to Dr. Web’s report, this scheme has netted the perpetrators a minimum of $19,000 worth of cryptocurrency from the wallet addresses that could be identified by the researchers.

The researchers traced these addresses back to the following Windows ISOs available on torrent platforms. However, Dr. Web cautioned about the possibility of more such compromised versions:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

As an essential safety measure, users should avoid downloading pirated operating systems since these unauthorized versions can easily serve as hiding places for persistent malware.