Pirated copies of Windows 10 feature hidden malicious apps designed to steal crypto

A friendly reminder that pirating an operating system like Windows 10 is a dangerous game, especially when they arrive packed with malware.

1 minute & 20 seconds read time

Downloading pirated software, especially an operating system, is not something you should consider - especially in light of this new report from Doctor Web. They've found multiple pirated copies of Windows 10 Pro feature a hidden trojan app called Trojan.Clipper.231 that steals cryptocurrency by substituting crypto wallet addresses in the clipboard with different addresses.

Pirated copies of Windows 10 feature hidden malicious apps designed to steal crypto 02

These unofficial and pirated builds of Windows 10 feature the malicious apps built into the OS, so it's not something you'd be able to spot when doing a clean install. Looking into the issue, Doctor Web quickly found five versions of Windows 10 on torrent tracker sites with the malicious trojan app.

The good news is that they have identified the malicious apps in the system directory.

  • WindowsInstalleriscsicli.exe (Trojan.MulDrop22.7578)
  • WindowsInstallerrecovery.exe (Trojan.Inject4.57873)
  • WindowsInstallerkd_08_5e78.dll (Trojan.Clipper.231)

The problem comes with installation as the crypto hijackers are hidden in the EFI (Extensible Firmware Interface) partition to evade detection. Looking at the files above, the dropper (iscsicli.exe) mounts a new partition, copies the two other malicious files, deletes the original files from the main drive, and launches Trojan.Inject4.57873 and then unmounts the partition. This then injects the malicious app and code into a regular system process.

This method of injecting malware into the EFI partition is rare, so security experts are looking at this case closely. The report from Doctor Web estimates that 0.73406362 BTC and 0.07964773 ETH, which is around USD 18,976.29, have been stolen so far.

A definite reminder that pirating an OS can be dangerous and costly. Here's the list of affected pirated Windows 10 copies spotted by Doctor Web.

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
Buy at Amazon

Microsoft Windows 11 Pro 64-bit, DVD - OEM

TodayYesterday7 days ago30 days ago
Buy at Newegg
* Prices last scanned on 9/29/2023 at 2:38 pm CDT - prices may not be accurate, click links above for the latest price. We may earn an affiliate commission.
NEWS SOURCE:news.drweb.com

Kosta might be a relatively new member of TweakTown, but he’s a veteran gaming journalist that cut his teeth on well-respected Aussie publications like PC PowerPlay and HYPER back when articles were printed on paper. A lifelong gamer since the 8-bit Nintendo era, it was the CD-ROM-powered 90s that cemented his love for all things games and technology. From point-and-click adventure games to RTS games with full-motion video cut-scenes and FPS titles referred to as Doom clones. Genres he still loves to this day. Kosta is also a musician, releasing dreamy electronic jams under the name Kbit.

Newsletter Subscription

Related Tags