Hackers spread malware using Windows 10 installers that constantly monitor what is copied to the clipboard and activate when it detects a cryptocurrency wallet address. However, in other cases, malware that is practically fully integrated into the operating system can be dangerous.

It probably goes without saying how dangerous it is to download software from torrent sites, where we then have confidential conversations and manage our banking affairs, as well as shop online by entering our card details – and of course downloading a paid product for free increments more questions.

It has now been discovered that hackers are distributing infected Windows 10 installers (ISOs) via torrent sites. This malware hides in the EFI partition, which is necessary for Windows to load and run, and which is automatically created by the operating system during installation. Although some malware uses this partition to get some kind of malware on the device, bypassing the system’s defense mechanisms, in this case, malicious parties view the EFI as a safe place to store malicious files – however, web researchers have discovered that the EFI is – she.

See also  Could an intermediate-mass black hole be hiding in the nearest globular cluster of the Milky Way?

a sample sleeping computer He writes, the EFI partition is not usually scanned by antivirus software, so malware may go unnoticed. The dangerous program places the following files in the system directory:

  • \ Windows \ Installer \ iscsicli.exe
  • \ Windows \ Installer \ recovery.exe
  • \ Windows \ Installer \ kd_08_5e78.dll

Once the malware runs on a pirated Windows 10 installation, it will monitor the clipboard (anything we copied-paste elsewhere) specifically for cryptocurrency wallet addresses. If there is an infection, the copied address is changed to that of the attacker, so the malicious parties forward the payments to their cryptocurrency accounts — so far, according to Dr. Webb, they’ve managed to steal $19,000, which is roughly HUF 6,530 worth. 000 of cryptocurrencies.

Serious versions of Windows are distributed on torrent sites with the following addresses:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

However, the researchers warn that in reality many more dangerous variants can spread. If someone has already installed one, the only solution is to install a completely legally sourced operating system from scratch, completely deleting the previous drivers.

Of course, the risk described above affects not only those who deal with cryptocurrencies: the fact that attackers see confidential data that we copy to the clipboard can also contain other risks, since sometimes bank data is also placed on the clipboard, which can easily fall into the hands of not authorized.

If you want to know similar things other times, like it HVG Tech department’s Facebook page.

See also  False intelligence




HVG


In addition to diverse, independent and factual information, our readers who join the Pártoló membership can also enjoy a number of benefits for their financial support.
Depending on your membership level, we offer, among others:

  • We send you an exclusive weekly digest of the interesting things in the world;

  • You can gain insight into the work of HVG, you can meet our authors;

  • You can take part in pre-premier screenings of the latest films, in various events;

  • You can buy HVG books and publications at a discount;

  • You can read hvg360 digital news magazine.