Doctor Web identifies pirated Windows builds with crypto stealer that penetrates EFI partition

June 13, 2023

Doctor Web recently uncovered a malevolent clipper program within several unauthorized Windows 10 builds that malicious actors have been circulating through a torrent tracker. Named as Trojan.Clipper.231, this trojan application replaces cryptocurrency wallet addresses in the clipboard with addresses given by the attackers. At present, the malicious individuals have successfully absconded with a cryptocurrency sum valued at approximately $19,000 US.

A customer contacted Doctor Web with their suspicion that their Windows 10 computer was infected in May 2023. The analysis our specialists carried out confirmed the presence of trojan applications in the system. These were Trojan.Clipper.231 stealer malware as well as the Trojan.MulDrop22.7578 dropper and Trojan.Inject4.57873 injector, which were used to launch the clipper. Virus was successfully localized and neutralized by Dr Web virus laboratory.

Simultaneously, it was identified that the operating system in question was an unofficial build, and the malevolent apps were integrated into it from the outset. Subsequent inquiries unveiled multiple such compromised Windows builds:

Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

All of them were available for download on one of the torrent trackers, but it is possible that malicious actors are also using other sites to distribute infected system ISO images.

The malicious apps in these builds are located in the system directory:

WindowsInstalleriscsicli.exe (Trojan.MulDrop22.7578)
WindowsInstallerrecovery.exe (Trojan.Inject4.57873)
WindowsInstallerkd_08_5e78.dll (Trojan.Clipper.231)

The clipper malware initialization occurs in several stages. In the first stage, the Trojan.MulDrop22.7578 malicious program is launched via the system Task Scheduler:

%SystemDrive%WindowsInstalleriscsicli.exe

This dropper’s task is to mount an EFI system partition to the M: drive and copy two other malicious components onto it, after which it is to delete the original trojan files from the C: drive, launch Trojan.Inject4.57873, and then unmount the EFI partition.

In turn, Trojan.Inject4.57873 uses the Process Hollowing technique to inject Trojan.Clipper.231 into the %WINDIR%\System32\Lsaiso.exe system process. After that, the clipper operates in the context of this process.

Upon taking control, Trojan.Clipper.231 proceeds with monitoring the clipboard and substitutes the crypto wallet addresses copied into it with attacker-provided addresses. At the same time, the trojan has several limitations. First, the clipper begins substituting the addresses only if it detects the %WINDIR%\INF\scunown.inf system file. Second, the trojan verifies active processes. If it detects the processes of a number of apps that pose a threat to it, it will not substitute the crypto wallet addresses.

The infiltration of malware into the EFI partition of computers as an attack vector is still very rare. Therefore, the identified case is of a great interest for information security specialists.

Based on our specialists’ calculations, at the time of this news release, malicious actors have used Trojan.Clipper.231 to steal 0.73406362 BTC and 0.07964773 ETH, which is equivalent to the sum of $18,976.29 US.

Users are advised to download only original ISO images of operating systems and only from trusted sources, such as manufacturers’ websites. These trojans were already successfully detected by our antivirus software – Trojan.Clipper.231 and also the other malicious programs related to it, so they pose no threat to our users.

More details on Trojan.Clipper.231

More details on Trojan.MulDrop22.7578

More details on Trojan.Inject4.57873

Indicators of compromise