Mandiant and Google threat intelligence researchers have detected cyberattacks against Ukrainian government entities, leveraging a fake Windows 10 installer.
Said installer is a Trojan ISO file distributed via Ukrainian and Russian torrent websites. The main motivation of the campaign appears to be intelligence gathering, while also including tools for remote control and further exploration of needs.
Hack with a fake Windows 10 installer
like the war between Russia Y Ukraine It doesn't seem to be set anytime soon, cyber attacks on either nation happen on a regular basis. And with Russia following a hybrid attack model (via ground and cyber means), Ukraine is subject to frequent attacks on its industrial and government systems.
The latest in this search is from a tracked threat actor like UNC4166 โ where Mandiant researchers said a campaign is launched to compromise Ukrainian government systems with a Trojan windows 10 installer
It is said to be distributed via Ukrainian and Russian language torrent sites and used for post-exploitation activities. follow up on this โsocial engineering supply chainโ attack from mid-July 2022, Mandiant researchers said;
โUpon installation of the compromised software, the malware collects information about the compromised system and extracts it.โ
The organizations targeted by this campaign were previously the victims of disruptive wiper attacks by a Russian state-sponsored actor called APT28. Google researchers, on the other hand, He noted that the goal of the campaign is to gather intelligence while also disabling the transmission of telemetry data from the infected computer to Microsoft and blocking automatic updates and license verification.
Additionally, after conducting initial reconnaissance, the group would deploy Stowaway Y cobalt attack beacon to the target system if it is considered valuable. These tools would allow the threat actor to execute remote commands, collect data, capture keystrokes and screenshots, and leak stolen information to a remote server.
In one case, the threat actor was seen attempting to download the TOR browser on the victim's device. While it is unknown why it could be used to route information anonymously.
