Hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.
The
EFI partition is a small system partition containing the bootloader and related files executed before the operating system's startup. It is essential for UEFI-powered systems that replace the now-obsolete BIOS.
There have been attacks utilizing modified EFI partitions to activate malware from outside the context of the OS and its defense tools, like in the case of
BlackLotus. However, the pirated Windows 10 ISOs
discovered by researchers at Dr. Web merely use EFI as a safe storage space for the clipper components.
Since standard antivirus tools do not commonly scan the EFI partition, the malware can potentially bypass malware detections.
Dr. Web's report explains that the malicious Windows 10 builds hide the following apps in the system directory:
- \Windows\Installer\iscsicli.exe (dropper)
- \Windows\Installer\recovery.exe (injector)
- \Windows\Installer\kd_08_5e78.dll (clipper)
When the operating system is installed using the ISO, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the "M:\" drive. Once mounted, the dropper copies the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive.
Recovery.exe is then launched, which injects the clipper malware DLL into the legitimate %WINDIR%\System32\Lsaiso.exe system process via process hollowing.
After being injected, the clipper will check if the C:\Windows\INF\scunown.inf file exists or if any analysis tools are running, such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc.
If they are detected, the clipper will not substitute crypto wallet addresses to evade detection by security researchers.
Once the clipper is running, it will monitor the system clipboard for cryptocurrency wallet addresses. If any are found, they are replaced on-the-fly with addresses under the attacker's control.
This allows the threat actors to redirect payments to their accounts, which according to Dr. Web, has made them at least $19,000 worth of cryptocurrency on the
wallet addresses the researchers were able to identify.
