According to a new report by Doctor Web, pirated versions of Windows 10 are being used to distribute clipper malware. Interestingly, the malware is hidden in EFI partitions to evade detection.
There is a lot to unpack in that introduction, so it is best, to begin with what clipper malware is. This particular type of malware tries to steal currencies from the affected system by stealing or manipulating the data on the Windows clipboard, such as copied cryptocurrency wallet addresses.
In the past, such malware was distributed by posing to be legitimate cryptocurrency applications. Once installed, the malware will begin to read and, in some instances, manipulate data stored in Windows' Clipboard application.
Laplas, a clipper malware, is capable of replacing Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Tron, and other cryptocurrency wallets with the ones owned by the attackers.
An Extensible Firmware Interface (EFI) can be defined as a small partition on a hard drive that is used to install an operating system or important system utilities. EFI's have been used to hide specific malware components; now, it seems that the entire malware package can be hidden in such a partition.
Doctor Web summarised the discovery of this campaign distributing the clipper by saying,
...discovered a malicious clipper program in several unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 US.
As many antivirus packages do not, or in some cases cannot, scan EFI partitions for malware, hiding the malware in this way can successfully evade detection until it is too late.
According to the report, the malware is hidden in the following apps in the system directory:
- \Windows\Installer\iscsicli.exe (dropper)
- \Windows\Installer\recovery.exe (injector)
- \Windows\Installer\kd_08_5e78.dll (clipper)
When the pirated operating system is downloaded, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the "M:\" drive.
Once mounted, the dropper copies the other two files, recovery.exe, and kd_08_5e78.dll, to the C:\ drive. The clipper malware is then injected into the legitimate %WINDIR%\System32\Lsaiso.exe system process via the installed recovery.exe file.
This is another reminder of the dangers of downloading pirated software. To help warn the public, Dr Web listed some of the malicious torrents but noted that many more could be out there.
The malicious torrents discovered include:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
As mentioned above, other malware developers have looked to abuse EFI partitions for their ends. BlackLotus is one such malware strain. The malware is commonly sold on underground hacking forums and is advertised as a piece of malware that evades antivirus detection; the malware also resists removal attempts; and can disable various security features.
The malware is classified as a bootkit and can cost 5,000 USD for a license. Bootkits are lanted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.
UEFI bootkits are particularly dangerous as they run at computer startup, before the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus.
Microsoft noted that if CVE-2022-2184 was correctly exploited BlackLotus could:
- Achieve persistence by enrolling the threat actor's Machine Owner Key (MOK)
- Turn off HVCI to allow deployment of a malicious kernel driver
- Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2)
- Turn off BitLocker to avoid tamper protection strategies on Windows
- Turn off Microsoft Defender Antivirus to avoid further detection
To detect BlackLotus, and other malware strains like the above-mentioned Trojan.Clipper.231, Microsoft advises that administrators look for the following artifacts:
- Recently created and locked bootloader files
- Presence of a staging directory used during the BlackLotus install in the EPS:/ filesystem (EFI filesystem)
- Registry key modification for the Hypervisor-protected Code Integrity (HVCI)
- Network logs
- Boot configuration logs
As malware developers continue to look to hide malware components in EFI partitions, network administrators need to be on alert for any kind of exploitation of boot resources.
Microsoft has provided a great article guiding individuals in how to detect and mitigate BlackLotus infections, but the principles elaborated on will help detect other malware strains using this technique to hide malware components.