FacebookTwitterLinkedIn

Pirated Windows 10 Downloads Used to Distribute Clipper Malware

Karolis Liucveikis Written by on

According to a new report by Doctor Web, pirated versions of Windows 10 are being used to distribute clipper malware. Interestingly, the malware is hidden in EFI partitions to evade detection.

Pirated Windows 10 Downloads Used to Distribute Clipper Malware

There is a lot to unpack in that introduction, so it is best, to begin with what clipper malware is. This particular type of malware tries to steal currencies from the affected system by stealing or manipulating the data on the Windows clipboard, such as copied cryptocurrency wallet addresses.

In the past, such malware was distributed by posing to be legitimate cryptocurrency applications. Once installed, the malware will begin to read and, in some instances, manipulate data stored in Windows' Clipboard application.

Laplas, a clipper malware, is capable of replacing Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Tron, and other cryptocurrency wallets with the ones owned by the attackers.

An Extensible Firmware Interface (EFI) can be defined as a small partition on a hard drive that is used to install an operating system or important system utilities. EFI's have been used to hide specific malware components; now, it seems that the entire malware package can be hidden in such a partition.

Doctor Web summarised the discovery of this campaign distributing the clipper by saying,

...discovered a malicious clipper program in several unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 US.

As many antivirus packages do not, or in some cases cannot, scan EFI partitions for malware, hiding the malware in this way can successfully evade detection until it is too late.

According to the report, the malware is hidden in the following apps in the system directory:

  • \Windows\Installer\iscsicli.exe (dropper)
  • \Windows\Installer\recovery.exe (injector)
  • \Windows\Installer\kd_08_5e78.dll (clipper)

When the pirated operating system is downloaded, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the "M:\" drive.

Once mounted, the dropper copies the other two files, recovery.exe, and kd_08_5e78.dll, to the C:\ drive. The clipper malware is then injected into the legitimate %WINDIR%\System32\Lsaiso.exe system process via the installed recovery.exe file.

This is another reminder of the dangers of downloading pirated software. To help warn the public, Dr Web listed some of the malicious torrents but noted that many more could be out there.

The malicious torrents discovered include:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

BlackLotus

As mentioned above, other malware developers have looked to abuse EFI partitions for their ends. BlackLotus is one such malware strain. The malware is commonly sold on underground hacking forums and is advertised as a piece of malware that evades antivirus detection; the malware also resists removal attempts; and can disable various security features.

The malware is classified as a bootkit and can cost 5,000 USD for a license. Bootkits are lanted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.

In April 2023, BlackLotus was seen exploiting CVE-2022-21894, a vulnerability found in Microsoft's secure boot routine that allowed hackers to bypass security measures. Microsoft noted,

UEFI bootkits are particularly dangerous as they run at computer startup, before the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus.

Microsoft noted that if CVE-2022-2184 was correctly exploited BlackLotus could:

  • Achieve persistence by enrolling the threat actor's Machine Owner Key (MOK)
  • Turn off HVCI to allow deployment of a malicious kernel driver
  • Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2)
  • Turn off BitLocker to avoid tamper protection strategies on Windows
  • Turn off Microsoft Defender Antivirus to avoid further detection

To detect BlackLotus, and other malware strains like the above-mentioned Trojan.Clipper.231, Microsoft advises that administrators look for the following artifacts:

  • Recently created and locked bootloader files
  • Presence of a staging directory used during the BlackLotus install in the EPS:/ filesystem (EFI filesystem)
  • Registry key modification for the Hypervisor-protected Code Integrity (HVCI)
  • Network logs
  • Boot configuration logs

As malware developers continue to look to hide malware components in EFI partitions, network administrators need to be on alert for any kind of exploitation of boot resources.

Microsoft has provided a great article guiding individuals in how to detect and mitigate BlackLotus infections, but the principles elaborated on will help detect other malware strains using this technique to hide malware components.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog