Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Governmental bodies in Ukraine were recently affected by trojanized installer files for Windows 10 as part of a campaign. To carry out post-exploitation procedures, these files were utilised.

Mandiant discovered the supply chain attack in the middle of July 2022 and claims that the malicious ISO files were distributed through Ukrainian and Russian-language Torrent websites. The threat cluster that it is tracking is UNC4166.

ALSO, READ How Hackers Are Exploiting Stolen Cookies To Attack Corporate Organisations – Research

According to a technical deep dive published on Thursday by the cybersecurity firm. “Upon installation of the compromised software, the malware gathers information on the infiltrated device and exfiltrates it.”

According to reports, the invasions went at businesses that had previously been the target of APT28’s disruptive wiper operations. A Russian state-sponsored actor, even if the origin of the antagonistic collective is unknown.

The ISO file was designed to install PowerShell backdoors, stop telemetry data transmission from the infected PC to Microsoft, prohibit automated upgrades, and thwart licensing verification, according to the Google-owned threat intelligence firm.

The computers then received more implants, but only after a preliminary investigation of the corrupted environment to determine whether it held any useful intelligence. It appears that the operation’s main objective was information collecting.

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

These included SPAREPART, a lightweight backdoor coded in C, Cobalt Strike Beacon, and Stowaway. Which was an open-source proxy tool that allowed the threat actor to run instructions, gather data, record keystrokes, take screenshots, and export the information to a distant server.

The adversary made an attempt in some cases to download the TOR anonymity browser on the victim’s device. Although the actual explanation for this behavior is unclear, it’s possible that it served as a different means of exfiltration.

As the name implies, SPAREPART is regarded as backup malware installed in the event that other methods fail to maintain remote access to the system. Furthermore, it performs the exact same function as the PowerShell backdoors that were disseminated earlier in the attack chain.

ALSO, READ The Pros and Cons Of Cyber Awareness To Teenagers

The inclusion of anti-detection capabilities along with the use of trojanized ISOs in espionage operations,  “indicates that the actors behind this activity are security conscious and patient. And as the operation would have required a significant amount of time and resources to develop and wait for the ISO to be installed on a network of interest,” Mandiant said.

Cloud Atlas Attacks Belarus and Russia
The data was found concurrently with Check Point and Positive Technologies disclosing attacks that had been ongoing for a while. Which was on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an organization known as Cloud Atlas.

The hacking group has a history of targeting targets in Eastern Europe and Central Asia. It has been active since 2014. But since the start of the Russian-Ukrainian conflict, it has been seen to target mostly Russian, Belarussian, and Transnistrian targets.

The Crimean Peninsula, Lugansk, and Donetsk regions—all of which Russia has annexed—remain the focus of the actors, according to a study released by Check Point last week.

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Along with other APTs like TajMahal, DarkUniverse, and Metador, Cloud Atlas has also gone by the names Clean Ursa, Inception, and Oxygen. The group’s use of cloud services like OpenDrive to host malware and for command-and-control is how it got its name (C2).

Phishing emails with lure attachments are frequently used by the adversary to orchestrate attack chains. These attack chains ultimately result in the distribution of a malicious payload through a complex multi-stage process.

The malware then goes on to make contact with a C2 server that is under the control of the actor. In order to obtain more backdoors that can be used to steal files with particular extensions from the compromised endpoints.

ALSO, READ Microsoft Issues a DDoS Botnet Cross-Platform Warning as Minecraft Servers Come Under Attack

On the other side, Check Point attacks end with a PowerShell-based backdoor known as PowerShower, which Palo Alto Networks Unit 42 first identified in November 2018.

In June 2022, a few of these incursions were also successful. Thereby, giving the threat actor complete access to the network. And the ability to further entrench themselves using tools like Chocolatey, AnyDesk, and PuTTY.

“Due to the deepening of the war between Russia and Ukraine, their attention has been on Russia. As well as, Belarus and their diplomatic, governmental, energy, and technology sectors. And also, the annexed regions of Ukraine for the past year,” Check Point noted.