Lord777
Professional
- Messages
- 2,578
- Reaction score
- 1,532
- Points
- 113
The stealer penetrates the EFI section and transfers the cryptocurrency to the addresses of intruders.
Dr. Web specialists found a stealer in unlicensed builds of Windows 10, which hackers distributed on one of the torrent trackers.
A malicious application called Trojan.Clipper.231 replaces the recipient's cryptocurrency wallet addresses in the clipboard with scam addresses. According to Dr. Web analysts, with the help of a stealer, hackers managed to steal almost $19,000 in cryptocurrency.
The malware was discovered at the end of May 2023, when one of Dr. Web's clients reported that their computer was infected with a stealer. Then the threat was removed. However, it turned out that the client's OS was an unofficial build, and the Trojans were embedded in it in advance. Further investigation revealed that there are several such infected Windows builds:
The stealer is launched in stages. At the first stage, the Trojan.MulDrop22.7578 malware is activated through the system task scheduler and performs the following functions:
After getting Trojan control.Clipper.231 monitors the clipboard and replaces the copied addresses of crypto wallets with the addresses set by hackers. However, the stealer has a number of limitations:
The introduction of malware into the EFI partition of computers is a fairly rare attack vector. Therefore, this case is of great interest to information security specialists. Dr. Web advises users to download only original ISO images of operating systems and only from manufacturers websites.
Dr. Web specialists found a stealer in unlicensed builds of Windows 10, which hackers distributed on one of the torrent trackers.
A malicious application called Trojan.Clipper.231 replaces the recipient's cryptocurrency wallet addresses in the clipboard with scam addresses. According to Dr. Web analysts, with the help of a stealer, hackers managed to steal almost $19,000 in cryptocurrency.
The malware was discovered at the end of May 2023, when one of Dr. Web's clients reported that their computer was infected with a stealer. Then the threat was removed. However, it turned out that the client's OS was an unofficial build, and the Trojans were embedded in it in advance. Further investigation revealed that there are several such infected Windows builds:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso;
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso;
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso;
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso;
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso.
The stealer is launched in stages. At the first stage, the Trojan.MulDrop22.7578 malware is activated through the system task scheduler and performs the following functions:
- attach a system EFI partition to disk M:;
- copy the other two components of the Trojan ( Trojan. MulDrop22. 7578 and Trojan. Inject4. 57873) to disk;
- delete the original Trojan files from disk C:;
- run Trojan. Inject4. 57873 and disable the EFI partition.
After getting Trojan control.Clipper.231 monitors the clipboard and replaces the copied addresses of crypto wallets with the addresses set by hackers. However, the stealer has a number of limitations:
- First, it starts replacing addresses only if the system file "%WINDIR% \ INF\scunown. inf"is present;
- Secondly, the Trojan checks active processes. If it finds processes of some applications that are dangerous for it, then the addresses of crypto wallets are not replaced.
The introduction of malware into the EFI partition of computers is a fairly rare attack vector. Therefore, this case is of great interest to information security specialists. Dr. Web advises users to download only original ISO images of operating systems and only from manufacturers websites.
