New Campaign Leverages Trojanized Windows 10 Installer Files to Compromise Network Security in Ukraine

Government entities in Ukraine have been targeted in a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities, potentially compromising network security. Mandiant, a cybersecurity company, discovered the supply chain attack around mid-July 2022 and is tracking the threat cluster as UNC4166. The malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites and, upon installation, the malware gathers information from the compromised system and exfiltrates it. The adversarial collective’s provenance is unknown, but the intrusions have reportedly targeted organizations that were previously victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor. The ISO file was designed to disable the transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, block automatic updates and license verification, and potentially compromise network security. The primary goal of the operation appears to be information gathering, with additional implants deployed to the machines after conducting initial reconnaissance to determine if they contain intelligence of value. These implants include Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor programmed in C, enabling the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the information to a remote server. In some instances, the adversary attempted to download the TOR anonymity browser onto the victim’s device, which may have served as an alternative exfiltration route. SPAREPART is thought to be a redundant malware deployed to maintain remote access to the system in case other methods fail. It is functionally identical to the PowerShell backdoors dropped early on in the attack chain. Mandiant noted that the use of trojanized ISOs is novel in espionage operations and the inclusion of anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required significant time and resources to develop and wait for the ISO to be installed on a network of interest.