Mandiant experts reported that Ukrainian government agencies are suffering from attacks using malicious Trojanized Windows 10 installers, as victims download malicious ISO files from Ukrainian and Russian-language torrent trackers (including Toloka and RuTracker).
Let me remind you that we also wrote that TrickBot Hack Group Systematically Attacks Ukraine, and also that Microsoft Accuses Russia of Cyberattacks against Ukraine’s Allies.
According to the researchers, this campaign has been running since July 2022 and is a social engineering attack on the supply chain. Apparently, a cluster of threats is behind the attacks, which experts track as UNC4166.
Infections carried out in this way were found in the networks of “several” government organizations, which were allegedly hand-picked by the hackers. At the same time, the researchers do not specify which government agencies were affected, and how pirated torrent files got on their computers.
One of the trojanized distributions
The company says that if an infected installer is used, malware enters the system, which collects information about the compromised system and transfers it to its operators. The report highlights that the hackers are using the Ukrainian language pack and that the attacks target Ukrainian users.
Mandiant also found additional payloads that were likely deployed after the initial infection. These included the STOWAWAY open source proxy tool, Cobalt Strike beacons, and the SPAREPART backdoor, allowing hackers to maintain access to compromised machines, execute commands, transfer files, and steal information, including credentials and keystroke interception, as well as take screenshots.
In some cases, the attackers even tried to download Tor Browser on the victim’s device. Although the exact reason for these actions is not clear, the researchers suspect that Tor could serve as an alternative channel for data theft.
The same media reported that Sandworm Targets Ukraine With Industroyer2 Malware.