Hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.
The EFI partition is a small system partition containing the bootloader and related files executed before the operating system’s startup. It is essential for UEFI-powered systems that replace the now-obsolete BIOS.
There have been attacks utilizing modified EFI partitions to activate malware from outside the context of the OS and its defense tools, like in the case of BlackLotus. However, the pirated Windows 10 ISOs discovered by researchers at Dr. Web merely use EFI as a safe storage space for the clipper components.
Since standard antivirus tools do not commonly scan the EFI partition, the malware can potentially bypass malware detections.
Dr. Web’s report explains that the malicious Windows 10 builds hide the following apps in the system directory:
- WindowsInstalleriscsicli.exe (dropper)
- WindowsInstallerrecovery.exe (injector)
- WindowsInstallerkd_08_5e78.dll (clipper)
When the operating system is installed using the ISO, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the “M:” drive. Once mounted, the dropper copies the other two files, recovery.exe and kd_08_5e78.dll, to the C: drive.
Recovery.exe is then launched, which injects the clipper malware DLL into the legitimate %WINDIR%System32Lsaiso.exe system process via process hollowing.
After being injected, the clipper will check if the C:WindowsINFscunown.inf file exists or if any analysis tools are running, such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc.
If they are detected, the clipper will not substitute crypto wallet addresses to evade detection by security researchers.
Once the clipper is running, it will monitor the system clipboard for cryptocurrency wallet addresses. If any are found, they are replaced on-the-fly with addresses under the attacker’s control.
This allows the threat actors to redirect payments to their accounts, which according to Dr. Web, has made them at least $19,000 worth of cryptocurrency on the wallet addresses the researchers were able to identify.
These addresses were extracted from the following Windows ISO shared on torrent sites, but Dr. Web warns that there could be more out there:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
Pirated OS downloads should be avoided because they can be dangerous, as those who create the unofficial builds can easily hide persistent malware.