In a classic case of ‘play stupid games win stupid prizes’, it has been found that pirated copies of Windows 10 have been distributed containing malware hidden within the EFI partition.
Pirated Windows Copies Containing Malware
As reported by Bleepingcomputer.com, hackers have distributed Windows 10 using torrents which have hidden cryptocurrency hijackers within them. The malware was hidden within the Extensible Firmware Interface partition (EFI) which is a partition that contains the bootloader and related files before the OS starts and in turn is hidden from most anti-virus programs. The malware was discovered and explained by researchers at drweb.com who found that it does not execute from the EFI but instead uses the partition as a hidden place to store the infected files.
How Does it Work?
The malware consists of three stages starting with Trojan.MulDrop22.7578 which launches via the system Task Scheduler and has the goal of mounting an EFI system partition to the M:\ drive and copy two other malicious components onto it. After it does this it deletes the original trojan from the C:\ drive launches the next stage under trojan.inject4.57873 and unmounts the EFI partition. TrojanInject4.57873 then uses the Process Hollowing technique to inject Trojan.Clipper.231 into the Lsaiso.exe system process taking control. The malware then monitors the clipboard and substitutes crypto wallet addresses copied into it with attacker-provided addresses.
The researchers say that using the EFI partition as a method of malware infiltration is a very rare attack vector and is of great interest to security professionals. The researchers have also estimated that Trojan.Clipper.231 has so far managed to steal 0.73406362 BTC and 0.07964773 ETH which is around $18,976.29 a fairly hefty sum of cash.
I know Windows is expensive but at least with a reliable source, you don’t get hit with one of these.
