In context: The EFI system partition plays a crucial role in the Windows booting process, but it also provides a potential "safe haven" for malicious software and security threats. While still rare, "EFI infiltration" is a tactic being increasingly employed by newer malware strains.

In Microsoft's own words, the EFI System Partition (ESP) is required on UEFI systems to boot from a GPT-style partitioned storage drive – UEFI and GPT being two technology advancements designed to supersede obsolete BIOS and MBR standards.

The EFI partition, which usually resides on the system's primary "hard drive," contains the operating system's bootloader and kernel image, basic device drivers used by the UEFI firmware at boot time and other software tools needed to run before the OS is properly loaded in RAM.

Being a fundamental component within the modern Windows booting process, the EFI partition has become a privileged target for the most complex and advanced security threats out there. The infamous BlackLotus UEFI bootkit exploits the ESP to hide from security software, and now a newly discovered "crypto stealer" is doing the same to try and escape antivirus detection.

Identified by Russian-made security software Dr.Web, Trojan.Clipper.231 is a trojan application hiding in some "pirated" ISO builds of Windows 10 Pro (22H2) being distributed on the BitTorrent network. Doctor Web discovered the threat after being contacted by a customer at the end of May 2023, with further analyses confirming the infection ongoing on the customer's Windows 10 computer.

The three-part infection includes a malware designed to steal popular cryptocurrencies (Trojan.Clipper.231), a trojan dropper (Trojan.MulDrop22.7578) and a code injector (Trojan.Inject4.57873) used to launch the clipper malware. The three files have been identified in several ISO custom builds, which were seemingly targeted at Russian-speaking users with file names such as "Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso".

Once installed on a PC, the malicious Windows build is designed to run the dropper ("iscsicli.exe") via the system Task Scheduler. The dropper is designed to mount the EFI partition as an "M:\" drive, copy the two other malicious components on the partition, delete the original trojan from the C: drive, and finally launch the injector while unmounting the EFI partition.

The injector then brings the clipper code into the "lsaiso.exe" system process, where Trojan.Clipper.231 will operate from now on. The clipper monitors the Windows clipboard, checking if crypto wallet addresses are being copied by the user and replacing them with addresses controlled by the cyber-criminals. Furthermore, the clipper checks active processes to try and avoid being detected by well-known analysis tools such as Process Explorer, Task Manager, Process Monitor, and ProcessHacker.

According to figures provided by Doctor Web, the aforementioned cyber-criminals managed to steal at least $19,000 worth of cryptocurrencies from legit wallet addresses so far. Malware infiltration into the EFI partition as an attack vector is still very rare, Dr. Web says, so any new identified case can be of great interest to computer security specialists.