Pirated Windows Installer Discovered with Crypto-Hijacker and EFI Partition Exploit

The infiltration of the EFI (Extensible Firmware Interface) system partition is increasingly becoming a valuable tool for sophisticated security threats.

The EFI partition, a vital system partition that contains the bootloader and related files executed before the operating system starts up, is crucial for UEFI-powered systems, replacing the outdated BIOS.

While attacks utilizing modified EFI partitions to activate malware outside the context of the operating system and its defense tools have been observed (as seen in the case of BlackLotus), the pirated Windows 10 ISOs discovered by Dr. Web researchers merely use the EFI partition as a safe storage space for the clipper components.

The strategy behind this EFI partition exploit is to take advantage of the fact that standard antivirus tools usually do not scan the EFI partition. By utilizing this vulnerability, the malware can evade detection and potentially go undetected on the system.

Malicious Windows 10 Builds: Hidden Applications

According to Dr. Web’s report, the malicious Windows 10 builds hide the following applications in the system directory:

\Windows\Installer\iscsicli.exe (Trojan.MulDrop22.7578)

\Windows\Installer\recovery.exe (Trojan.Inject4.57873)

\Windows\Installer\kd_08_5e78.dll (Trojan.Clipper.231)

Installer folder on Windows ISO image | EFI Partition Exploit
Installer folder on Windows ISO image

During installation of the operating system using the ISO, a scheduled task is created to launch a Trojan.MulDrop22.7578 named iscsicli.exe, which mounts the EFI partition as the “M:” drive. Once mounted, the Trojan.MulDrop22.7578 copies the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive.

Next, recovery.exe is executed, injecting the clipper malware DLL into the legitimate %WINDIR%\System32\Lsaiso.exe system process using process hollowing.

Once injected, the clipper checks for the presence of the C:\Windows\INF\scunown.inf file and the running of analysis tools such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, and others.

If any of these are detected, the clipper refrains from substituting crypto wallet addresses to avoid detection by security researchers.

Once the clipper is running, it monitors the system clipboard for cryptocurrency wallet addresses. When detected, it dynamically replaces them with addresses controlled by the attackers.

This enables the threat actors to redirect payments to their accounts, resulting in the theft of at least $19,000 worth of cryptocurrency based on the wallet addresses identified by Dr. Web researchers. These adresses were extracted from multiple Windows ISOs shared on torrent sites.

It is crucial to avoid downloading pirated operating systems, as unofficial builds can easily conceal persistent malware, posing significant risks to users.

Oh Hi There 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox.

We don’t spam! Read our privacy policy for more info.

Share This On
Posts created 2

2 thoughts on “Pirated Windows Installer Discovered with Crypto-Hijacker and EFI Partition Exploit

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top