Curiously, the protagonist is not the operating system (Windows 10 in this case), but one of its own infected installer.
Government agencies in Ukraine have been hacked in this new campaign that uses trojanized versions of Windows 10 installation files to conduct cybercriminal activity.
How did this infected Windows 10 installer get to Ukrainian institutions?
Mandiant, which discovered the attack on computer systems around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language torrent websites; Now as now, the various threat clusters such as UNC4166 are also being monitored.
“After installing the infected software, the malware gathers information about the compromised system and extracts it [nei dispositivi dei malintenzionati]“said the cybersecurity firm in a technical insight published last Thursday.
While the provenance of this infected installer ISO is unknown, the intrusions are said to have targeted organizations that had previously been victims of disruptive wiper attacks attributed to APT28, a government-sponsored threat actor. Russian state.
The ISO file, according to the Google-owned threat intelligence firm, was designed to disable transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, as well as block automatic updates and license verification.
The primary objective of the operation (via disseminating this malicious installer) appears to have been intelligence gathering, with additional implants deployed across various devices, but only after conducting an initial reconnaissance of the compromised environment to determine if it contains the information sought by malicious people through special programs.
Among these programs were included stowawayan open source proxy tool, Cobalt Strike Beacon and SPAREPART, a lightweight backdoor programmed in C, which allows the author to execute commands, collect data, capture keystrokes and screenshots, and download the information to a remote server.
In some cases, it seems that the attacker tried to download and then install the anonymous TOR browser on the victim’s device. While the exact reason for this action is not at all clear, it is suspected that it may have served as an alternative data download route (to decrease the chances of being caught, essentially).
SPAREPART, as the name suggests, is considered redundant malware deployed to maintain remote access to the system in case other hacking methods (like infected installer, for example) fail. It is also functionally identical to the PowerShell backdoors released at the start of this hack.
“The use of trojanized ISOs is new in spying operations, and the included anti-tracking features indicate that the perpetrators behind this activity are security conscious and patient, as the operation would have required significant time and resources to develop and wait until the ISO was installed on a network of interestMandiant said.
Can this infected Windows 10 installer story affect home users?
Without mincing words: yes.
Indeed, many are looking for shortcuts to get the free operating system, it seems that prices have decreased a lot (for example, a Windows 10 license can be purchased on Amazon for less than €20, if you think that the whole system would cost you €200 and go… ) did not deter users from piracy.
Among the danger of KMS, there is also that of harmful installers distributed by who knows who.
Even if maybe it’s not a virus or malware in the strict sense, it could still be annoying and damage your PC; usually this happens to the so-called “cousins”, i.e. pseudo-technicians who improvise “experts” when they install Windows drivers through dubious external programs and not doing the most logical thing: go to the sources of the relative manufacturers and get the drivers from there.
As this practice can damage the software environment so much as to force a reinstallation of the operating system (not to mention distributing malware that is difficult to detect even by antivirus), in the same way these installers can create many problems.
#Windows #installer #Trojanized #version #Ukraine