Table of Contents
Intro
A recent study conducted by Doctor Web has revealed a concerning association between pirated versions of Windows 10 and the distribution of clipper malware. This particular malware is cleverly concealed within EFI partitions, enabling it to evade standard detection methods effectively.
Identification of
Clipper malware is a specific type of malicious software designed to illicitly obtain currencies from compromised systems by intercepting or modifying data on the Windows clipboard. This malware primarily targets cryptocurrency wallet addresses, manipulating the data involved. In the past, it has masqueraded as legitimate cryptocurrency applications to deceive users. Once installed in a system, the malware gains access to and, in specific circumstances, modifies the data stored in the Windows Clipboard utility. For instance, the Laplas variant of clipper malware has the capability to substitute wallet addresses associated with various cryptocurrencies like Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Tron, and others.
The Extensible Firmware Interface (EFI) partition, which is a small section of the hard drive reserved for installing operating systems and essential system utilities, has historically been exploited to conceal certain malware components. However, it has become evident that EFI partitions can harbor an entire malware entity, posing a significant threat. Detecting malware within EFI partitions presents challenges for most antivirus software, either due to their limited capability or technical obstacles. This evasion technique allows the clipper malware to persist undetected, often causing considerable damage before its discovery.
Report
The report indicates that the malware is discreetly embedded within the following applications found in the system directory:
\Windows\Installer\iscsicli.exe (dropper)
\Windows\Installer\recovery.exe (injector)
\Windows\Installer\kd_08_5e78.dll (clipper)When a pirated version of the operating system is downloaded, a scheduled task is created to trigger the execution of a dropper named iscsicli.exe. This dropper then proceeds to mount the EFI partition as the “M:” drive.
Subsequently, the dropper duplicates the other two files, recovery.exe and kd_08_5e78.dll, onto the C:\ drive. The clipper malware is then injected into the legitimate %WINDIR%\System32\Lsaiso.exe system process using the installed recovery.exe file.
This incident highlights the hazards associated with downloading pirated software. It serves as a reminder of the inherent risks involved. In an effort to raise public awareness, Dr. Web has disclosed some of the identified malicious torrents, while acknowledging the possibility of numerous others circulating.
Confirmed Files
The following torrents have been identified as malicious:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
It is important to note that these torrents have been flagged as malicious, indicating the presence of potential risks. This information is provided to increase public awareness, with the understanding that there may be additional malicious torrents in circulation.
Need help with your Puget Systems PC?
If something is wrong with your Puget Systems PC. We are readily accessible, and our support team comes from a wide range of technological backgrounds to better assist you!
Looking for more support guides?
If you are looking for a solution to a problem you are having with your PC, we also have a number of other support guides that may be able to assist you with other issues.