Hackers Attack Ukrainian Organizations through Malicious Windows 10 Installers

Windows 10 malicious installers

Mandiant experts reported that Ukrainian government agencies are suffering from attacks using malicious Trojanized Windows 10 installers, as victims download malicious ISO files from Ukrainian and Russian-language torrent trackers (including Toloka and RuTracker).

Let me remind you that we also wrote that TrickBot Hack Group Systematically Attacks Ukraine, and also that Microsoft Accuses Russia of Cyberattacks against Ukraine’s Allies.

According to the researchers, this campaign has been running since July 2022 and is a social engineering attack on the supply chain. Apparently, a cluster of threats is behind the attacks, which experts track as UNC4166.

Infections carried out in this way were found in the networks of “several” government organizations, which were allegedly hand-picked by the hackers. At the same time, the researchers do not specify which government agencies were affected, and how pirated torrent files got on their computers.

Windows 10 malicious installers

One of the trojanized distributions

The company says that if an infected installer is used, malware enters the system, which collects information about the compromised system and transfers it to its operators. The report highlights that the hackers are using the Ukrainian language pack and that the attacks target Ukrainian users.

Mandiant also found additional payloads that were likely deployed after the initial infection. These included the STOWAWAY open source proxy tool, Cobalt Strike beacons, and the SPAREPART backdoor, allowing hackers to maintain access to compromised machines, execute commands, transfer files, and steal information, including credentials and keystroke interception, as well as take screenshots.

In some cases, the attackers even tried to download Tor Browser on the victim’s device. Although the exact reason for these actions is not clear, the researchers suspect that Tor could serve as an alternative channel for data theft.

The use of trojanized ISOs is new to spying operations, and the built-in anti-detection features indicate that the hackers behind this activity are security conscious and patient, as this operation required considerable time and resources to develop, equally as well as waiting for the ISO to be installed on the target network.the experts conclude.

The same media reported that Sandworm Targets Ukraine With Industroyer2 Malware.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *