Security News > 2023 > June > Pirated Windows 10 ISOs install clipper malware via EFI partitions
Hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI partition to evade detection.
The EFI partition is a small system partition containing the bootloader and related files executed before the operating system's startup.
It is essential for UEFI-powered systems that replace the now-obsolete BIOS. There have been attacks utilizing modified EFI partitions to activate malware from outside the context of the OS and its defense tools, like in the case of BlackLotus.
The pirated Windows 10 ISOs discovered by researchers at Dr. Web merely use EFI as a safe storage space for the clipper components.
Since standard antivirus tools do not commonly scan the EFI partition, the malware can potentially bypass malware detections.
Exe is then launched, which injects the clipper malware DLL into the legitimate %WINDIR%System32Lsaiso.
News URL
Related news
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- Windows 10 KB5048652 update fixes new motherboard activation bug (source)
- New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools (source)
- Windows 10 users urged to upgrade to avoid "security fiasco" (source)
- Microsoft to force install new Outlook on Windows 10 PCs in February (source)
- Windows 10 KB5049981 update released with new BYOVD blocklist (source)
- FBI wipes Chinese PlugX malware from thousands of Windows PCs in America (source)
- Microsoft ends support for Office apps on Windows 10 in October (source)
- Windows 11 24H2 now also offered to all eligible Windows 10 PCs (source)