Cybersecurity firm Doctor Web recently unmasked a malevolent build of Windows 10, which are available for download on various Torrent streams. The team identified the malicious Windows 10 builds were infected with a malware dubbed Trojan.Clipper.231, a malware that covertly swaps cryptocurrency wallet addresses in the clipboard with those provided by attackers. The team estimated that the cybercriminals had made around $19,000 from these pirated Windows 10 builds. Let’s see what the security researchers disclosed about the crypto stealer malware.
Let’s start this post with Crypto Stealer Malware, EFI System Partition, Technical Details about the campaign, and finally tips to protect in this post.
What is Crypto Stealer Malware?
Crypto Stealer Malware is a type of malicious software (malware) designed to steal cryptocurrencies from the devices it infects. This malware can target a wide range of cryptocurrencies, including Bitcoin, Ethereum, and many others.
Crypto Stealer Malware usually works by monitoring the clipboard of the infected device. When the user copies a cryptocurrency address (for example, to make a transaction), the malware will replace the copied address with one controlled by the attacker. As a result, when the user pastes the address (assuming it to be the original one), they are actually pasting the attacker’s address. If the user does not notice the change and proceeds with the transaction, the cryptocurrency will be sent to the attacker instead of the intended recipient.
Some sophisticated variants of Crypto Stealer Malware can also steal cryptocurrency wallet files from the infected device or even use keylogging techniques to capture the user’s private keys.
It’s worth noting that Crypto Stealer Malware is usually spread through similar methods as other types of malware, such as phishing emails, malicious websites, and infected software downloads. Therefore, standard cybersecurity practices like using antivirus software, keeping your software up to date, and being cautious with emails and websites you are not familiar with can help protect against Crypto Stealer Malware.
A Short Note About EFI System Partition
Well, EFI System Partition has a critical role in this campaign. To better understand how this campaign work, it is good to know about the EFI System Partition in the hard drives. Attackers utilized the EFI System Partition to hide the malware from Operating System’s security and anti-malware systems.
The EFI System Partition (ESP) is a special partition on a computer’s hard drive that is used by the computer’s firmware to start your operating system. This is based on the UEFI (Unified Extensible Firmware Interface) standard, which is a specification that defines a software interface between an operating system and platform firmware.
The ESP contains the bootloader, a piece of software that loads the operating system into memory when the computer is turned on. It also holds other files used in the early stages of the boot process. On Windows, for example, these files include the Windows Boot Manager and hardware abstraction layer (HAL) drivers, among others.
In terms of format, the EFI System Partition is typically formatted as FAT32, and is usually around 100-500 MB in size, though it can be larger if necessary. It’s also worth noting that ESP is a partition type rather than a specific location on the disk; it can be located anywhere on the drive.
While the ESP is critical for booting your computer, it’s often hidden in disk management tools to prevent accidental modification. As a user, you usually don’t interact with the ESP directly. However, it’s important to be aware of its existence and function, especially when troubleshooting boot issues or setting up a dual-boot system.
Technical Details About the Campaign
As we said in the previous section, attackers took advantage of the fact that most conventional antivirus solutions do not routinely scan the EFI partition, allowing the malware to potentially bypass malware detection systems. Studies confirmed that all pirated Windows 10 builds involved in this campaign have three trojan applications in the system. These malicious programs were identified as Trojan.Clipper.231, a stealer malware, along with Trojan.MulDrop22.7578, a dropper, and Trojan.Inject4.57873, an injector, both of which facilitated the operation of the clipper.