Mandiant and Google threat intelligence researchers have spotted cyberattacks against the Ukraine government entities, leveraging a fake Windows 10 installer.
The said installer is a trojanized ISO file distributed through the Ukrainian and Russian torrent websites. The campaign’s primary motivation seems to be intelligence gathering while also involving tools for remote controlling and further exploration of needs.
Hacking With a Fake Windows 10 Installer
As the war between Russia and Ukraine doesn’t seem to settle down anytime soon, cyberattacks on either of the nations happen regularly. And with Russia following a hybrid attacking model (through land and cyber means), Ukraine is subject to frequent attacks on its industrial and government systems.
The latest in this pursuit is from a threat actor tracked as UNC4166 – where Mandiant researchers said a campaign is launched to compromise the Ukrainian government systems with a trojanized Windows 10 installer.
It’s said to be distributed through Ukrainian and Russian-language torrent sites and is used for conducting post-exploitation activities. Tracking this “socially engineered supply chain” attack since mid-July 2022, Mandiant researchers said;
“Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it.”
The organizations targeted in this campaign were previously the victims of disruptive wiper attacks from a Russian state-sponsored actor called the APT28. Google researchers, on the other hand, noted the campaign’s aim is to collect intelligence while also disabling the transmission of telemetry data from the infected computer to Microsoft and blocking the automatic updates and license verification.
Further, after conducting the initial reconnaissance, the group would then deploy Stowaway and Cobalt Strike Beacon to the targeted system if it’s considered valuable. These tools would allow the threat actor to execute remote commands, harvest data, capture keystrokes and screenshots, and exfiltrate stolen information to a remote server.
In one instance, the threat actor was seen attempting to download the TOR browser on the victim’s device. While it’s unknown why it could be used to route the information anonymously.