Mandiant recently identified that in a targeted attack on Ukrainian government entities, trojanized ISO files were used by threat actors to cloak malicious programs posing as legitimate Windows 10 installers for the first step in compromising their networks.
Malicious installers are delivering malware that could perform a wide range of malicious activities, including:-
An ISO that was part of the campaign was hosted on the Ukrainian torrent tracker “toloka[.]to” has been found to be created in May 2022 by a user that is delivered in this campaign.
Here below we have mentioned the key security features of Windows that are disabled by the ISO file since it comes pre-configured with such abilities:-
As far as the motives for the intrusions are concerned, there is no indication that they were financial. Since there is no trace of any:-
The Mandiant security team also discovered several scheduled tasks that were set up in mid-July 2022 to receive commands prepared for execution via PowerShell while analyzing multiple devices that are found to be infected on the networks of the Ukrainian Government.
As a result of initial reconnaissance, analysts have also discovered additional payloads such as:-
This cluster of threat activity is being monitored by Mandiant as UNC4166, which is the number assigned to it. At the outset of the war, UNC4166’s target organizations overlapped with those targeted by GRU-related clusters with wipers aimed at other organizations in the region.
APT28, a Russian state-sponsored actor widely recognized for its disruptive wiper attacks, has been accused of launching intrusions against organizations that have been previously targeted by disruptive wiper attacks and have not been able to establish any kind of link to them.
Moreover, there has been an operation of APT28 on behalf of the Russian GRU’s intelligence service since at least 2004.
The Ukrainian government and military organizations have been the targets of multiple phishing campaigns which have been flagged by Google, Microsoft, and Ukraine’s CERT as APT28 operations since Russia’s invasion of Ukraine began.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book
Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…