Cybersecurity firm Doctor Web recently unmasked a malevolent build of Windows 10, which are available for download on various Torrent streams. The team identified the malicious Windows 10 builds were infected with a malware dubbed Trojan.Clipper.231, a malware that covertly swaps cryptocurrency wallet addresses in the clipboard with those provided by attackers. The team estimated that the cybercriminals had made around $19,000 from these pirated Windows 10 builds. Let’s see what the security researchers disclosed about the crypto stealer malware.
Let’s start this post with Crypto Stealer Malware, EFI System Partition, Technical Details about the campaign, and finally tips to protect in this post.
Table of Contents
What is Crypto Stealer Malware?
Crypto Stealer Malware is a type of malicious software (malware) designed to steal cryptocurrencies from the devices it infects. This malware can target a wide range of cryptocurrencies, including Bitcoin, Ethereum, and many others.
Crypto Stealer Malware usually works by monitoring the clipboard of the infected device. When the user copies a cryptocurrency address (for example, to make a transaction), the malware will replace the copied address with one controlled by the attacker. As a result, when the user pastes the address (assuming it to be the original one), they are actually pasting the attacker’s address. If the user does not notice the change and proceeds with the transaction, the cryptocurrency will be sent to the attacker instead of the intended recipient.
Some sophisticated variants of Crypto Stealer Malware can also steal cryptocurrency wallet files from the infected device or even use keylogging techniques to capture the user’s private keys.
It’s worth noting that Crypto Stealer Malware is usually spread through similar methods as other types of malware, such as phishing emails, malicious websites, and infected software downloads. Therefore, standard cybersecurity practices like using antivirus software, keeping your software up to date, and being cautious with emails and websites you are not familiar with can help protect against Crypto Stealer Malware.
A Short Note About EFI System Partition
Well, EFI System Partition has a critical role in this campaign. To better understand how this campaign work, it is good to know about the EFI System Partition in the hard drives. Attackers utilized the EFI System Partition to hide the malware from Operating System’s security and anti-malware systems.
The EFI System Partition (ESP) is a special partition on a computer’s hard drive that is used by the computer’s firmware to start your operating system. This is based on the UEFI (Unified Extensible Firmware Interface) standard, which is a specification that defines a software interface between an operating system and platform firmware.
The ESP contains the bootloader, a piece of software that loads the operating system into memory when the computer is turned on. It also holds other files used in the early stages of the boot process. On Windows, for example, these files include the Windows Boot Manager and hardware abstraction layer (HAL) drivers, among others.
In terms of format, the EFI System Partition is typically formatted as FAT32, and is usually around 100-500 MB in size, though it can be larger if necessary. It’s also worth noting that ESP is a partition type rather than a specific location on the disk; it can be located anywhere on the drive.
While the ESP is critical for booting your computer, it’s often hidden in disk management tools to prevent accidental modification. As a user, you usually don’t interact with the ESP directly. However, it’s important to be aware of its existence and function, especially when troubleshooting boot issues or setting up a dual-boot system.
Technical Details About the Campaign
As we said in the previous section, attackers took advantage of the fact that most conventional antivirus solutions do not routinely scan the EFI partition, allowing the malware to potentially bypass malware detection systems. Studies confirmed that all pirated Windows 10 builds involved in this campaign have three trojan applications in the system. These malicious programs were identified as Trojan.Clipper.231, a stealer malware, along with Trojan.MulDrop22.7578, a dropper, and Trojan.Inject4.57873, an injector, both of which facilitated the operation of the clipper.
Clipper malware Installer folder on Windows ISO image (Source: BleepingComputer)
All three malware files are kept in these directories on the pirated Windows 10 build.
- \Windows\Installer\iscsicli.exe (Trojan.MulDrop22.7578)
- \Windows\Installer\recovery.exe (Trojan.Inject4.57873)
- \Windows\Installer\kd_08_5e78.dll (Trojan.Clipper.231)
List of Pirated Windows 10 Builds Used in the Campaign
Here you see the list of Windows 10 builds captured during the analysis. Attackers made these builds available on several Torrent Seeds. However, it can’t be ignored that threat actors may be utilizing other platforms to disseminate the tainted system ISO images. Please be aware of such unofficial pirated software available for free.
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
How Does the Campaign Work?
When the user downloads and install the operating system through the infected ISO, a scheduled task is generated to initiate a dropper named iscsicli.exe. This dropper plays a pivotal role in the clipper malware’s execution. It mounts the EFI partition, designating it as the “M:” drive. Subsequently, it proceeds to copy two additional files, namely recovery.exe, and kd_08_5e78.dll, to the C:\ drive.
Following the successful copy, the recovery.exe file comes into action. It employs a technique called process hollowing to inject a clipper malware DLL into the legitimate %WINDIR%\System32\Lsaiso.exe system process. This covert injection allows the malware to camouflage itself within a legitimate process, making detection considerably more challenging.
Once the clipper malware infiltrates the system, it initiates a series of evasive mechanisms to avoid detection. Firstly, it scans for the presence of the C:\Windows\INF\scunown.inf file and checks if any analysis tools, such as Process Explorer, Task Manager, Process Monitor, or ProcessHacker, are actively running. This reconnaissance phase is critical for the malware to remain undetected and unimpeded in its operations.
If the clipper detects any indication of analysis tools or the existence of the aforementioned file, it refrains from executing its primary function. By avoiding address substitution in crypto wallets, the malware mitigates the risk of raising suspicion among security researchers or systems equipped with advanced monitoring capabilities.
Once the clipper malware is fully operational, it focuses on monitoring the system clipboard for cryptocurrency wallet addresses. As soon as it identifies any wallet addresses, the malware swiftly replaces them with the attacker’s address. This real-time substitution occurs seamlessly without the user’s knowledge.
Through this tactic, threat actors can redirect payments to their own accounts, bypassing the intended recipients.
Protective Measures and Recommendations
To safeguard your cryptocurrency transactions from clipper malware and similar threats, it is crucial to follow these recommendations:
- Source Authentic ISO Images: Download operating system ISO images exclusively from trusted sources such as manufacturers’ websites. This minimizes the risk of downloading compromised versions.
- Employ Reliable Antivirus Software: Install and regularly update reputable antivirus software that includes advanced detection mechanisms. This ensures your system is protected against emerging threats.
- Stay Informed and Vigilant: Keep abreast of the latest cybersecurity trends and news. Stay vigilant while engaging in cryptocurrency transactions and exercise caution when sharing wallet addresses.
- Implement Multi-Factor Authentication: Enable multi-factor authentication for your cryptocurrency wallets and exchanges. This adds an extra layer of security, requiring additional verification before accessing your digital assets.
- Regularly Update Software: Keep your operating system, security software, and applications up to date. Regular updates often include patches for known vulnerabilities, enhancing the overall security of your system.
- Practice Safe Online Behavior: Exercise caution when clicking on links or downloading files from unknown sources. Be wary of suspicious emails, websites, or social media messages that may contain malware or phishing attempts.
- Educate Yourself: Stay informed about common attack vectors, such as social engineering and phishing scams. Educate yourself on how to identify and avoid potential threats, enhancing your ability to protect your digital assets.
- Backup Your Wallets: Regularly back up your cryptocurrency wallets and store the backups in secure offline locations. In the event of a security breach, having accessible backups will help restore your funds.
- Utilize Hardware Wallets: Consider using hardware wallets, which provide an extra layer of protection by storing your private keys offline. Hardware wallets are designed to protect your cryptocurrency assets from malware and unauthorized access.
By implementing these preventive measures, you can significantly reduce the risk of falling victim to clipper malware and safeguard your cryptocurrency transactions.
In conclusion, the rise of such crypto stealer malware, such as clipper malware, poses a significant threat to the security of cryptocurrency transactions. Understanding its modus operandi and taking proactive measures to protect yourself is paramount. By following best practices, utilizing reliable security software, and staying informed about emerging threats, you can fortify the security of your digital assets and enjoy peace of mind while engaging in cryptocurrency transactions.
We hope this post lets you understand the implications of using pirated Windows 10 builds and other free unofficial free software. Please share this post if you find this interested. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.