Multiple pirated versions of Windows 10 are circulating in torrent format, this is not a new phenomenon. Recently, many ISOs (disk images) have been detected with malware embedded in the partition, making it difficult to detect.
Hacker networks have found an unstoppable trick to distribute pirated versions of the OS. The malware is directly integrated into the EFI (Extensible Firmware Interface) partition. This method allows it to quietly dodge conventional antivirus scans. Indeed, the EFI partition is not systematically scanned by them.
EFI, the right hideout for malware
The EFI partition is critical to the proper functioning of Unified Extensible Firmware Interface (UEFI) systems. It contains all the startup files and the information needed to load the operating system. It is the keystone of the boot process and the management of peripherals in UEFI-compatible computers, that is to say 80% of the machines on the market. Thanks to a more modern and flexible interface, it allows a more pleasant booting of the system than by means of a traditional BIOS.
Hackers therefore use this partition as a storage space for their malicious little beast. Perfectly aware that conventional antivirus generally do not scan this partition, so they have plenty of time to slip in what they want.
An infiltration worthy of Sam Fisher
The various contaminated ISOs identified by the researchers of Dr Web contain suspicious files directly embedded in the system directory such as:
- WindowsInstalleriscsccli.exe (distributor file)
- WindowsInstallerrecovery.exe (injector file)
- WindowsInstallerkd_08_5e78.dll (hijacker file)
If an installation is launched from an ISO with this profile, a scheduled task is programmed. This starts the distributor which will configure the EFI partition as the “M:” drive. The injector then takes over and copies the two files, kd_08_5e78.dll to the “C:” drive. The hijacker file then sets out to scan the PC for cryptocurrency wallets. To put it simply, this allows hackers to pass all security systems thanks to the joint action of these three files and to come and use wallets at their leisure. A smooth robbery, in short.
These Windows 10 ISOs carry cleverly hidden malware in their installation process. By escaping the classic detections of antiviruses, this one can be used in your virtual economies. Moral of this story? Do not download OSes from dubious sites and humbly settle for official versions.
Sources: BleepingComputer, Dr Web
29