A malware distribution campaign has been detected that uses torrents to install cryptocurrency hijackers, using a method that allows the malware to evade antivirus tools. The campaign delivers clipper malware – a type of malware that can steal information from the clipboard and modify clipboard activity with the goal of stealing private keys and credentials for cryptocurrencies. Once installed, the malware will monitor the clipboard looking for cryptocurrency wallet addresses. If a cryptocurrency wallet address is found, it will be replaced with the address of a wallet under the control of the attacker. When a payment is made by the victim, it will be directed to the attacker’s account.
This campaign uses torrents for Windows 10 Pro, which will deliver a Windows 10 ISO image for the installation. An ISO file contains the image of data found on an optical disc, in this case, the Windows 10 installation disk. This campaign hides the clipper malware in the Extensible Firmware Interface (EFI) partition. The EFI partition contains the bootloader and other files that are executed before the operating system starts up. The benefit of hiding the malware in the EFI is it is not typically scanned by antivirus software, so the malware is likely to remain undetected.
When the ISO file is used to install the operating system, a scheduled task is created that launches the dropper, which mounts the EFI partition as the M:\ drive. When mounted, the dropper will copy two other files to the C:\ drive: An executable that serves as the injector, and a DLL file – the clipper malware – which is injected into the %WINDIR%\System32\Lsaiso.exe system process. To evade detection, the clipper checks for any analysis tools and will not switch cryptocurrency wallet addresses if they are discovered. According to Dr. Web, as of June 13, 2023, this campaign has allowed malicious actors to steal at least $19,000 in cryptocurrency.
Pirated software and operating systems are often used for distributing malware, either through the installation files themselves or the cracks and product activators that accompany them, and are used for generating valid software license codes. In many cases, the actual software or operating system offered via torrent sites is genuine, and the user will get a copy of the software they are expecting but the malware will also be installed silently as part of the installation process.
As the latest campaign demonstrates, the malware that is installed can be persistent and fail to be detected by many antivirus solutions. In this case, it is a clipper used for stealing cryptocurrencies; however, information stealers, remote access Trojans, and backdoors can just as easily be distributed via this method. One download and installation by an employee that is looking to improve their productivity by installing software unauthorized by the IT department can be all it takes for hackers to gain access to the network, steal sensitive data, and perform any number of malicious activities undetected.
The easiest solution to avoid this method of malware delivery is to never attempt to download pirated software, but employers should take steps to ensure that employees are not tempted and should implement a web filtering solution. WebTitan Cloud is a cloud-based DNS filtering solution that is quick and easy to install and configure and can be used to block access to torrents and warez sites where pirated software is available. In addition to blocking certain types of websites by category, the solution can also be configured to block downloads of specific file types, such as executable files, including ISOs.
In addition to reducing the risk of malware infections, IT departments can prevent employees from downloading and installing legitimate software without the knowledge of the IT department. These software installations also pose a security risk, since the IT department will have no control over software updates and patching. That means vulnerabilities are likely to remain unaddressed and those vulnerabilities could be targeted by malicious actors to gain access to the network.
If you want to improve your security posture, exercising control over the websites employees can visit is a good place to start. WebTitan Cloud is available on a free trial to allow you to test the solution in your own environment before deciding on a purchase. TitanHQ also offers WebTitan Cloud for Wi-Fi, which can be used by Wi-Fi hotspot providers to carefully control the content Wi-Fi users can access – for security reasons, as well as creating a family-friendly Wi-Fi network.
If you have any questions about WebTitan Cloud, WebTitan Cloud for Wi-Fi, or web filtering in general, give the TitanHQ team a call.