Hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.
The EFI partition is a small system partition containing the bootloader and related files executed before the operating system's startup. It is essential for UEFI-powered systems that replace the now-obsolete BIOS.
There have been attacks utilizing modified EFI partitions to activate malware from outside the context of the OS and its defense tools, like in the case of BlackLotus. However, the pirated Windows 10 ISOs discovered by researchers at Dr. Web merely use EFI as a safe storage space for the clipper components.
Since standard antivirus tools do not commonly scan the EFI partition, the malware can potentially bypass malware detections.
Dr. Web's report explains that the malicious Windows 10 builds hide the following apps in the system directory:
- \Windows\Installer\iscsicli.exe (dropper)
- \Windows\Installer\recovery.exe (injector)
- \Windows\Installer\kd_08_5e78.dll (clipper)
When the operating system is installed using the ISO, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the "M:\" drive. Once mounted, the dropper copies the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive.
Recovery.exe is then launched, which injects the clipper malware DLL into the legitimate %WINDIR%\System32\Lsaiso.exe system process via process hollowing.
After being injected, the clipper will check if the C:\Windows\INF\scunown.inf file exists or if any analysis tools are running, such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc.
If they are detected, the clipper will not substitute crypto wallet addresses to evade detection by security researchers.
Once the clipper is running, it will monitor the system clipboard for cryptocurrency wallet addresses. If any are found, they are replaced on-the-fly with addresses under the attacker's control.
This allows the threat actors to redirect payments to their accounts, which according to Dr. Web, has made them at least $19,000 worth of cryptocurrency on the wallet addresses the researchers were able to identify.
These addresses were extracted from the following Windows ISO shared on torrent sites, but Dr. Web warns that there could be more out there:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
Pirated OS downloads should be avoided because they can be dangerous, as those who create the unofficial builds can easily hide persistent malware.
Comments
Hmm888 - 10 months ago
I used EaseUS partition manager this year to remove extra partition reserved for Windows backup. In doing so, it messed things up and opened up my EFI partion labelling it Drive Z and it can't be hidden. Supposedly, this is a known "bug" within Windows 10/11. So I can understand how hiding in the EFI partition can be exploited.
JustinFlynn - 10 months ago
Why are they downloading pirated iso's anyway? Do these bypass the license somehow?
EndangeredPootisBird - 10 months ago
It's mostly people from poorer regions of the world. And I believe they do it by using a "cracked", olde, version of the operating system, which removes pretty much all security features in place, like Windows Update, Windows Defender, Windows Firewall, and so on, so even if the copy isn't outright infected, people who use them will be at great risk even by just connecting to the internet.
NoneRain - 10 months ago
Yep. The so called 'Light', 'Clean', 'Unbloated', 'Gamer edition' being downloaded from torrent sites or "youtubers" recommending them with ad links.
Hmm888 - 10 months ago
They don't realize they can "buy" official Windows Product keys online on Ebay and more for virtually nothing.
cyberlol - 10 months ago
Some people don't have the necessary knowledge. They simply take their computer to a technician to repair it and they install pirated versions to save money, not considering the risks.
maksym2333 - 10 months ago
It's easier to say that there is no license at all. ))))
GenericUsername - 10 months ago
To be blunt, if people are dumb enough to download a pirated Windows ISO, they deserve what they get.
maksym2333 - 10 months ago
Ha-ha guys, how funny it is to read you. No one in our country pays, because it is easier to download, or get for free and do not have to pay even 1 dollar. i have a license windows and office without paying a single dollar.