June 13, 2023

Doctor Web has discovered a malicious clipper program in a number of unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 US.

At the end of May 2023, a customer contacted Doctor Web with their suspicion that their Windows 10 computer was infected. The analysis our specialists carried out confirmed the presence of trojan applications in the system. These were Trojan.Clipper.231 stealer malware as well as the Trojan.MulDrop22.7578 dropper and Trojan.Inject4.57873 injector, which were used to launch the clipper. Doctor Web’s virus laboratory successfully localized all these threats and neutralized them.

At the same time, it was discovered that the targeted operating system was an unofficial build and the malicious apps were built into it from the beginning. The following investigation revealed several such infected Windows builds:

• Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
• Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
• Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
• Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
• Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

All of them were available for download on one of the torrent trackers, but it is possible that malicious actors are also using other sites to distribute infected system ISO images.

The malicious apps in these builds are located in the system directory:

• \Windows\Installer\iscsicli.exe (Trojan.MulDrop22.7578)
• \Windows\Installer\recovery.exe (Trojan.Inject4.57873)
• \Windows\Installer\kd_08_5e78.dll (Trojan.Clipper.231)

The clipper malware initialization occurs in several stages. In the first stage, the Trojan.MulDrop22.7578 malicious program is launched via the system Task Scheduler:

%SystemDrive%\Windows\Installer\iscsicli.exe

This dropper’s task is to mount an EFI system partition to the M:\ drive and copy two other malicious components onto it, after which it is to delete the original trojan files from the C:\ drive, launch Trojan.Inject4.57873, and then unmount the EFI partition.

In turn, Trojan.Inject4.57873 uses the Process Hollowing technique to inject Trojan.Clipper.231 into the %WINDIR%\\System32\\Lsaiso.exe system process. After that, the clipper operates in the context of this process.

Upon taking control, Trojan.Clipper.231 proceeds with monitoring the clipboard and substitutes the crypto wallet addresses copied into it with attacker-provided addresses. At the same time, the trojan has several limitations. First, the clipper begins substituting the addresses only if it detects the %WINDIR%\\INF\\scunown.inf system file. Second, the trojan verifies active processes. If it detects the processes of a number of apps that pose a threat to it, it will not substitute the crypto wallet addresses.

The infiltration of malware into the EFI partition of computers as an attack vector is still very rare. Therefore, the identified case is of a great interest for information security specialists.

Based on our specialists’ calculations, at the time of this news release, malicious actors have used Trojan.Clipper.231 to steal 0.73406362 BTC and 0.07964773 ETH, which is equivalent to the sum of $18,976.29 US.

Doctor Web recommends that users download only original ISO images of operating systems and only from trusted sources, such as manufacturers’ websites. The Dr.Web anti-virus successfully detects and neutralizes Trojan.Clipper.231 and the other malicious programs related to it, so they pose no threat to our users.

More details on Trojan.Clipper.231

More details on Trojan.MulDrop22.7578

More details on Trojan.Inject4.57873

Indicators of compromise