Pirated Windows 10 ISOs install clipper malware via EFI partitions


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.

The EFI partition is a small system partition containing the bootloader and related files executed before the operating system's startup. It is essential for UEFI-powered systems that replace the now-obsolete BIOS.

There have been attacks utilizing modified EFI partitions to activate malware from outside the context of the OS and its defense tools, like in the case of BlackLotus. However, the pirated Windows 10 ISOs discovered by researchers at Dr. Web merely use EFI as a safe storage space for the clipper components.

Since standard antivirus tools do not commonly scan the EFI partition, the malware can potentially bypass malware detections.

Dr. Web's report explains that the malicious Windows 10 builds hide the following apps in the system directory:
  1. \Windows\Installer\iscsicli.exe (dropper)
  2. \Windows\Installer\recovery.exe (injector)
  3. \Windows\Installer\kd_08_5e78.dll (clipper)
When the operating system is installed using the ISO, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the "M:\" drive. Once mounted, the dropper copies the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive.

Recovery.exe is then launched, which injects the clipper malware DLL into the legitimate %WINDIR%\System32\Lsaiso.exe system process via process hollowing.

After being injected, the clipper will check if the C:\Windows\INF\scunown.inf file exists or if any analysis tools are running, such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc.

If they are detected, the clipper will not substitute crypto wallet addresses to evade detection by security researchers.

Once the clipper is running, it will monitor the system clipboard for cryptocurrency wallet addresses. If any are found, they are replaced on-the-fly with addresses under the attacker's control.

This allows the threat actors to redirect payments to their accounts, which according to Dr. Web, has made them at least $19,000 worth of cryptocurrency on the wallet addresses the researchers were able to identify.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.