Mandiant recently identified that in a targeted attack on Ukrainian government entities, trojanized ISO files were used by threat actors to cloak malicious programs posing as legitimate Windows 10 installers for the first step in compromising their networks.
Malicious installers are delivering malware that could perform a wide range of malicious activities, including:-
- Monitoring compromised computers for the purpose of collecting data
- The deployment of additional malicious tools
- Data exfiltration to servers controlled by attackers
Trojanized Windows 10 Installer
An ISO that was part of the campaign was hosted on the Ukrainian torrent tracker “toloka[.]to” has been found to be created in May 2022 by a user that is delivered in this campaign.
Here below we have mentioned the key security features of Windows that are disabled by the ISO file since it comes pre-configured with such abilities:-
- Disable security telemetry
- Block automatic updates
- Disable license verification
As far as the motives for the intrusions are concerned, there is no indication that they were financial. Since there is no trace of any:-
- The theft of monetizable information
- The deployment of ransomware
- The deployment of cryptominers
The Mandiant security team also discovered several scheduled tasks that were set up in mid-July 2022 to receive commands prepared for execution via PowerShell while analyzing multiple devices that are found to be infected on the networks of the Ukrainian Government.
As a result of initial reconnaissance, analysts have also discovered additional payloads such as:-
- STOWAWAY
- BEACON
- SPAREPART
This cluster of threat activity is being monitored by Mandiant as UNC4166, which is the number assigned to it. At the outset of the war, UNC4166’s target organizations overlapped with those targeted by GRU-related clusters with wipers aimed at other organizations in the region.
APT28, a Russian state-sponsored actor widely recognized for its disruptive wiper attacks, has been accused of launching intrusions against organizations that have been previously targeted by disruptive wiper attacks and have not been able to establish any kind of link to them.
Moreover, there has been an operation of APT28 on behalf of the Russian GRU’s intelligence service since at least 2004.
