Tuesday, October 15, 2024
HomeMalwareHackers Use Trojanized Windows 10 Installer To Attack Against Government Entities

Hackers Use Trojanized Windows 10 Installer To Attack Against Government Entities

Published on

Malware protection

Mandiant recently identified that in a targeted attack on Ukrainian government entities, trojanized ISO files were used by threat actors to cloak malicious programs posing as legitimate Windows 10 installers for the first step in compromising their networks.

Malicious installers are delivering malware that could perform a wide range of malicious activities, including:-

  • Monitoring compromised computers for the purpose of collecting data
  • The deployment of additional malicious tools
  • Data exfiltration to servers controlled by attackers

Trojanized Windows 10 Installer

An ISO that was part of the campaign was hosted on the Ukrainian torrent tracker “toloka[.]to” has been found to be created in May 2022 by a user that is delivered in this campaign.

- Advertisement - SIEM as a Service

Here below we have mentioned the key security features of Windows that are disabled by the ISO file since it comes pre-configured with such abilities:-

  • Disable security telemetry 
  • Block automatic updates 
  • Disable license verification
Fake Page

As far as the motives for the intrusions are concerned, there is no indication that they were financial. Since there is no trace of any:-

  • The theft of monetizable information
  • The deployment of ransomware
  • The deployment of cryptominers

The Mandiant security team also discovered several scheduled tasks that were set up in mid-July 2022 to receive commands prepared for execution via PowerShell while analyzing multiple devices that are found to be infected on the networks of the Ukrainian Government.

As a result of initial reconnaissance, analysts have also discovered additional payloads such as:-

  • STOWAWAY
  • BEACON
  • SPAREPART

This cluster of threat activity is being monitored by Mandiant as UNC4166, which is the number assigned to it. At the outset of the war, UNC4166’s target organizations overlapped with those targeted by GRU-related clusters with wipers aimed at other organizations in the region.

APT28, a Russian state-sponsored actor widely recognized for its disruptive wiper attacks, has been accused of launching intrusions against organizations that have been previously targeted by disruptive wiper attacks and have not been able to establish any kind of link to them.

Moreover, there has been an operation of APT28 on behalf of the Russian GRU’s intelligence service since at least 2004.

The Ukrainian government and military organizations have been the targets of multiple phishing campaigns which have been flagged by Google, Microsoft, and Ukraine’s CERT as APT28 operations since Russia’s invasion of Ukraine began.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...