Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities.
The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166.
"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.
Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor.
According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.
The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.
Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.
The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.
SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.
"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.
The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.
The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.
"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.
The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.
Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.
"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.
Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.
