The styler, known as Trojan.Clipper.231, replaces the recipient’s cryptocurrency wallet addresses in the clipboard with addresses belonging to fraudsters. Dr.Web analysts have determined that hackers managed to steal nearly $19,000 worth of cryptocurrency using this styler.
In late May 2023, a Dr.Web customer reported an infection on their computer caused by the styler. The threat was successfully removed. However, it was discovered that the customer was using an unofficial build of the Windows operating system, which had already been injected with the Trojan software. Further investigation revealed the existence of several infected Windows builds, such as “Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso” and “Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso,” among others. These builds were available for download on a torrent tracker, but it is possible that hackers are distributing infected system images through other websites as well.
Styler Deployment & Cryptocurrency Theft: An In-depth Analysis
The styler is deployed in multiple stages. First, the Trojan.MulDrop22.7578 malware is activated through the system task scheduler. This malware connects the system EFI partition to the M: drive, copies two additional Trojan components (Trojan.MulDrop22.7578 and Trojan.Inject4.57873) to the disk, deletes the original Trojan files from disk C:, and launches Trojan.Inject4.57873 while disabling the EFI partition. Trojan.Inject4.57873 then utilizes the Process Hollowing technique to inject Trojan.Clipper.231 into the system process “%WINDIR%\System32\Lsaiso.exe,” initiating the styler’s operation within the process context.
Once in control, Trojan.Clipper.231 monitors the clipboard and replaces any copied cryptocurrency wallet addresses with those predetermined by the hackers. The styler has certain limitations – it only begins replacing addresses if the system file “%WINDIR%\INF\scunown.inf” is present, and it checks for active processes related to potentially dangerous applications, refraining from address replacement if such processes are detected.
According to Dr.Web, the hackers managed to steal 0.73406362 BTC and 0.07964773 ETH, equivalent to approximately $18,976 using Trojan.Clipper.231.
The introduction of malware into the EFI partition of computers is a relatively uncommon attack vector, making this case particularly intriguing for information security specialists. Dr.Web advises users to exclusively download original ISO images of operating systems from manufacturers’ websites to mitigate the risk of such attacks.