Malicious Trojan Program Found in Pirated Windows 10

  • The cybersecurity firm Doctor Web discovered a malicious program named Trojan.Clipper.231 in several unofficial Windows 10 builds, which were being distributed via torrent trackers.
  • The malware Trojan.Clipper.231 operates in a staged manner, involving multiple trojans. Initially, Trojan.MulDrop22.7578 is executed which mounts an EFI system partition and installs other malicious components, including Trojan.Inject4.57873 which further injects Trojan.Clipper.231 into a system process. T

The cybersecurity firm Doctor Web recently uncovered a malicious clipper program in several unofficial Windows 10 builds that have been circulated through torrent trackers. The Trojan, named Trojan.Clipper.231, has been found to replace cryptocurrency wallet addresses in the clipboard with addresses controlled by the attackers. To date, it has been reported that the malefactors have siphoned off cryptocurrency amounting to approximately $19,000 US.

Pirated Windows 10

Doctor Web was initially alerted by a concerned customer at the end of May 2023, who suspected an infection in their Windows 10 computer. A thorough analysis by Doctor Web specialists confirmed the presence of Trojan.Clipper.231 along with Trojan.MulDrop22.7578 and Trojan.Inject4.57873, which were instrumental in initiating the clipper. Doctor Web’s virus laboratory has successfully isolated and neutralized these threats.

Further investigations revealed that the infected computer was running an unauthorized build of Windows 10, which contained the malicious applications embedded from the outset. Several such tainted Windows builds were identified:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

These compromised builds were available for download on a specific torrent tracker, but it is suspected that other platforms might also be exploited for the distribution of these infected ISO images.

The location of the malicious applications in these builds is found to be in the system directory:

  • \Windows\Installer\iscsicli.exe (Trojan.MulDrop22.7578)
  • \Windows\Installer\recovery.exe (Trojan.Inject4.57873)
  • \Windows\Installer\kd_08_5e78.dll (Trojan.Clipper.231)

The initialization of the clipper malware is staged, initially involving the execution of Trojan.MulDrop22.7578 through the system Task Scheduler. This dropper proceeds to mount an EFI system partition, copy two other malicious components to it, erase the original trojan files, initiate Trojan.Inject4.57873, and then unmount the EFI partition.

Subsequently, Trojan.Inject4.57873 uses the Process Hollowing technique to inject Trojan.Clipper.231 into the system process %WINDIR%\System32\Lsaiso.exe. Upon assuming control, Trojan.Clipper.231 monitors the clipboard for cryptocurrency wallet addresses, which it then replaces with addresses supplied by the attackers. The malware is designed to perform this substitution only under certain conditions, such as the presence of a specific system file and the absence of processes that could potentially thwart it.

The exploitation of the EFI partition as an attack vector is relatively uncommon, which makes this case particularly intriguing for cybersecurity experts.

About Trojan.Clipper.231

Trojan.Clipper.231, a pernicious stealer malware targeting 64-bit Microsoft Windows operating systems, was recently added to the Dr.Web virus database on May 26, 2023. The malware, written in C++, is designed with the specific intent of replacing cryptocurrency wallet addresses in the clipboard with addresses controlled by cybercriminals. Compiled on March 9, 2023, the malware operates by injecting itself into the %WINDIR%\System32\Lsaiso.exe system process through the assistance of another malware, Trojan.Inject4.57873. Once embedded, it scans the clipboard for cryptocurrency wallet addresses and replaces them with attacker-provided addresses, which are hardcoded into the DATA section of the Trojan. This malicious program’s SHA1 hash is d31df5ea0f82784c010a16597675937fc4896cb0, and it is identified as kd_08_5e78.dll. Users are urged to exercise caution and utilize reliable security software to protect against such threats.