We have told you on many occasions that you can download ISO images of the Windows operating system for free. Even Microsoft makes them available to us through its official website, although of course, without a license.
Therefore, once we have downloaded these images and in order to use the operating system legally and without restrictions, we will have to pay for the key corresponding to the downloaded version. For a few days the software giant has officially stopped selling Windows 10 through its usual channels. That does not mean that other stores do not continue to sell this version of the operating system with its corresponding fully legal license.
It means that those who still reject windows 11 and prefer to continue working with the previous version of the Microsoft system, they can continue to do so. In fact, Windows 10 in its most recent versions still receives support from the firm to cover everything related to security. Hence, at this moment many users are downloading an ISO image of Windows 10 to use their key and continue working with this system on their computers.
However, a campaign is currently being discovered in which various attackers are trying to take advantage of this situation. Specifically, we mean that these Internet criminals are distributing Windows 10 via malicious torrent links. These hide cryptocurrency hijackers in the EFI partition to evade detection by the security solution that we have installed on the computer.
Malicious apps hidden in the Windows ISO
It is worth mentioning that this EFI is a small system partition that contains bootloader and the files that are executed before the start of the operating system. It is key for systems with UEFI that replace the BIOS. Well, in this case, cybercriminals want to take advantage of all this by downloading ISO images of Windows 10 through a torrent.
These discovered Windows 10 pirated ISOs are limited to using EFI as disk space. secure storage for Clipper components, the malicious code. Since antiviruses don’t usually scan that partition, the malware evades detection. Malicious versions of Windows 10 are already known to hide the following applications in the system directory:
- WindowsInstalleriscsicli.exe
- WindowsInstallerrecovery.exe
- WindowsInstallerkd_08_5e78.dll
All this means that when the operating system is installed using this infected ISO, a new scheduled task is created. It launches an executable called iscsicli.exe that mounts the EFI partition as drive M:. Once mounted, the virus copies the other two mentioned files. Recovery.exe is then executed which injects the Clipper malware DLL to replace addresses of crypto walletswhile avoiding antivirus detection.
Thus Clipper monitors the system for addresses of cryptocurrency wallets and replaces them with addresses under the control of the attacker. All this allows attackers to redirect payments to our cryptocurrency accounts. Therefore, we should be suspicious of Windows 10 and images available right now through P2P networks and torrent files.
