Cybersecurity experts have discovered a particularly sophisticated malware in pirated versions of Windows 10: it installs directly in the Windows system partition. He then proceeds to steal the victim’s cryptocurrency.
Downloading a pirated version of Windows is no longer of much interest. If it is not sold as standard with the computer, a Microsoft operating system key is easily obtained at laughable prices on resale sites. Also, keys from old versions are valid to get the latest iteration of the OS, although most users don’t opt ββfor this option as Windows 11 gets boycotted and Windows 10 remains on the throne.
However, some continue this practice, at their own risk, such as this cryptocurrency aficionado who had Bitcoin and Ethereum stolen in May without understanding why. Suspecting that his computer is infected with malware, he contacts the cybersecurity experts at Doctor Web.
To read: The creator of Bitcoin attacks Apple because of macOS, mythomaniac or reality?
The analysis carried out by the specialists then detects the presence of Trojan horses in his system: the Trojan.Clipper.231 stealer, the Trojan.MulDrop22.7578 dropper and the Trojan.Inject4.57873 injector. After neutralizing these threats, experts search for the source of the malware and find that the operating system is an unofficial version of Windows 10.
Several pirated versions of Windows 10 are affected
This user had no chance of escaping: the malware was integrated into the installer from the start. Experts then investigated to find which pirated versions of Windows were infected. Here they are :
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
All these versions are available on the most famous torrent sites.
The malware directly attacks the system directory of Windows 10
Unprecedentedly, these malicious applications are located in the system directory of these versions of Windows 10:
- WindowsInstalleriscsicli.exe (Trojan.MulDrop22.7578)
- WindowsInstallerrecovery.exe (Trojan.Inject4.57873)
- WindowsInstallerkd_08_5e78.dll (Trojan.Clipper.231)
The task of drop The first step is to mount an EFI system partition on the main drive and copy two other malicious components to it. It then deletes the original trojan files from the C: drive, launches Trojan.Inject4.57873, and then unmounts the EFI partition after its mischief is done. In turn, Trojan.Inject4.57873 injects Trojan.Clipper.231 into the system process %WINDIR%System32Lsaiso.exe. Then the clipper operates from this process.
Read: Malware hacks online sales sites to empty your bank account
Once installed, Trojan.Clipper.231 monitors the clipboard and replaces crypto wallet addresses copied there with addresses provided by the hacker. Experts estimate that malicious actors managed to steal a total of 0.73406362 BTC and 0.07964773 ETH using this malware, which is equivalent to more than 17,000 euros.
Source : Doctor Web
