According to researchers from Dr. Webthey found out when a customer contacted them that their Windows 10 computer had been infected.
Further analysis revealed that the hackers had hidden the clipper malware within the Extensible Firmware Interface (EFI) partition in compromised versions of Windows 10 available for torrent. The main function of clipper malware is Monitor the system clipboard for cryptocurrency wallet addresses, quickly replacing any found with addresses under attacker control.
Using the EFI partition was a way to evade detection by traditional antivirus software, since it is not normally scanned. The EFI partition houses essential files like the bootloader, which runs before the operating system boots. This means that malware stored here will be activated outside of the context of the operating system and its defense tools.
Unique to this malware, the hackers used the modified EFI partition to store malicious components to discreetly hide various applications in the system directory, such as droppers and injector Trojans.
According to Dr. Web's calculations, the hackers used the clipper to steal 0.73406362 BTC and 0.07964773 ETH, which is equivalent to the sum of more than ยฃ15,000. However, this could be a fraction of the amount hoarded by cybercriminals, as the addresses identified in this investigation were for Windows 10 ISO files that were shared on popular torrent sites.
โThe infiltration of malware into the EFI partition of computers as an attack vector is still very rare. Therefore, the identified case is of great interest to information security specialists,โ said the Dr. Web researchers.
Recommended
Hacking methodology
The malware-infected Windows 10 ISOs discovered by Dr. Web contain the following applications hidden in the system directory:
- \Windows\Installer\iscsicli.exe (dropper)
- \Windows\Installer\recovery.exe (injector)
- \Windows\Installer\kd_08_5e78.dll (clipper)
When a user installs one of these compromised ISOs, a scheduled task is created to start a dropper called iscsicli.exe. The dropper mounts the EFI partition as drive 'M:' and proceeds to copy the files 'recovery.exe' and 'kd_08_5e78.dll' to drive C:\.
The file 'recovery.exe' is then executed, injecting the clipper malware DLL into the system process '%WINDIR%\System32\Lsaiso.exe' using a process called flush. Once injected, the malware will scan the system for analysis tools to avoid detection by security researchers.
Dr. Web suggests that users download only original ISO images of operating systems and only from trusted sources, such as manufacturers' websites. Unofficial builds may contain hidden and persistent malware.
Additionally, regular security software updates and maintaining strong cybersecurity practices are essential to guard against emerging threats in the digital landscape.
Related
