Styler in Unlicensed Windows 10 Assemblies Used by Hackers to Steal Cryptocurrency, Warns Dr. Web
Dr. Web, a Russian cyber-security firm, has discovered a styler in unlicensed Windows 10 assemblies that hackers distributed on a torrent tracker. A Trojan application, Trojan.clipper.231, replaces cryptocurrency wallet addresses with those of scammers in exchange buffer. Styler helped hackers to steal nearly $19,000 in cryptocurrency. Malware was discovered when one of Dr. Web’s clients reported an infection in their computer by a styler towards the end of May 2023, and the threat was removed. Further investigation revealed that the client’s Operating System (OS) was an unofficial assembly, and Trojan programs were introduced into it in advance. Some of the infected Windows include Windows 10 Pro 22H2 19045.2728, Windows 10 Pro 22H2 19045.2846, and Windows 10 Pro 22H2 19045.2913, all available for download on a torrent tracker. Hackers might be using other sites to spread infected images of the system.
The styler is launched in stages, where the malware Trojan.muldrop22.7578 is activated via the system planner of tasks. After deletion of original Trojan files from C:, the second component of Trojan (Trojan.inject4.57873) is copied and launched. Trojan.inject4.57873 uses the Process Hollowing technique to introduce Trojan.clipper.231 into the LSAISO.EXE system process, to launch the styler in that process.
Trojan.clipper.231 monitors the exchange buffer and replaces the addresses of cryptocurrencies with addresses set by hackers. The styler replaces addresses only with the system file “%Windir% Inf Scunown.inf” and checks the active processes before replacing addresses. Using the Trojan.clipper.231 style, hackers stole 0.73406362 BTC and 0.07964773 ETH, which amounts to about $18 976 according to Dr. Web.