Downloading a copy of Windows from shady online sources is never a good idea, but recently it was even more dangerous in Ukraine. Cybersecurity firm Mandiant identified a Trojan version of Windows 10 being distributed online that was specifically modified to gain access to Ukrainian computer systems. While there are no clear fingerprints on the malicious ISO, Mandiant notes that the targets overlap with previous operations by Russia's security services.
The Windows installer pretends to be a 64-bit version of Windows 10, labeled "Win10_21H2_Ukrainian_x64.iso". It uses the Ukrainian language pack and was mainly distributed on toloka.to, a torrent tracker that targets Ukrainian users. It also appeared on a Russian torrent tracker. It seems likely that this malware campaign is related to the ongoing war in Ukraine.
According to Mandiantthe campaign does not appear to have any financial motive, there is no data hijacking installers or crypto miners to be seen. However, distributing a Windows ISO is not the most efficient way to get these malicious packages onto machines. However, it is useful if you want full access to a system with the ability to install additional malware packages when you find a juicy target. The way these additional tools were implemented led Mandiant to become suspicious of Russia's GRU spy agency and government-backed hacking groups like APT28.
Installing the rogue ISO will give you what appears to be a fully functional version of Windows 10, but the underlying code has been modified in several vital ways. For one, it doesn't send security telemetry to Microsoft like a regular version of Windows does. After installation, the built-in tools scan the system for useful information through scheduled and modified system tasks. That data is then sent to a remote server. Some installations were also loaded with additional malware tools after installation, suggesting that these targets were of particular interest to hackers.
Mandiant identified several machines running the infected version of Windows within Ukrainian government networks. The machines began communicating with the operators via an encrypted TOR tunnel in July 2022. This is a new type of attack and one we may be seeing more frequently as the conflict in Ukraine drags on. Unlike many malware campaigns, this one is easy to avoid. Just don't download incomplete versions of Windows from torrent sites. Microsoft will actually let you download Windows ISO straight from the source these days.
Now read:
