The Clipper Trojan exploits pirated Windows ISO files for cryptocurrency theft

Security vendor Doctor Web recently discovered a malicious Trojan called Clipper in its investigation, which is distributed on the network using pirated Windows ISO files to steal victims’ cryptocurrency. The Clipper Trojan steals the user’s property by replacing the cryptocurrency wallet address on the user’s device with the address of a server controlled by the attacker.

This malicious program specifically targets pirated Windows 10 Pro 22H2 system ISO image files, in which the Clipper Trojan has been lurking since the beginning. The infected ISO files spread mainly through P2P transmissions from Torrent Tracker servers, though researchers believe they may have spread through other websites.

The infection process of the Clipper Trojan is very cunning, starting with a program called dropper that creates EFI disk partitions in Windows. Then load a program called Inject and inject Clipper into the legitimate system trip Lsaiso .exe. Clipper checks the target system for the presence of security programs, and if so, Clipper keeps a low profile; If not, Clipper will replace the cryptocurrency wallet address in the Windows clipboard with the attacker-controlled server address. This method of attack is rare but effective, and hackers have so far stolen about $19,000 worth of Ether and Bitcoin. Doctor Web urges users to download Windows ISO images from regular websites to avoid being targeted by hackers.