CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

admin by admin
December 16, 2022
in Information Security


Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.

Mandiant, which discovered the supply chain attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It’s tracking the threat cluster as UNC4166.

“Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it,” the cybersecurity company said in a technical deep dive published Thursday.

Although the adversarial collective’s provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor.

The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, as well as block automatic updates and license verification.

CyberSecurity

The primary goal of the operation appears to have been information gathering, with additional implants deployed to the machines, but only after conducting an initial reconnaissance of the compromised environment to determine if it contains the intelligence of value.

These included Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor programmed in C, enabling the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the information to a remote server.

In some instances, the adversary attempted to download the TOR anonymity browser onto the victim’s device. While the exact reason for this action is not clear, it’s suspected that it may have served as an alternative exfiltration route.

Windows 10 Installer

SPAREPART, as the name implies, is assessed to be a redundant malware deployed to maintain remote access to the system should the other methods fail. It’s also functionally identical to the PowerShell backdoors dropped early on in the attack chain.

“The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest,” Mandiant said.

Cloud Atlas Strikes Russia and Belarus

The findings come as Check Point and Positive Technologies disclosed attacks staged by an espionage group dubbed Cloud Atlas against the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia as part of a persistent campaign.

The hacking crew, active since 2014, has a track record of attacking entities in Eastern Europe and Central Asia. But since the outbreak of the Russo-Ukrainian war, it has been observed primarily targeting entities in Russia, Belarus, and Transnistria.

“The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions,” Check Point said in an analysis last week.

Cloud Atlas, also called Clean Ursa, Inception, and Oxygen, remains unattributed to date, joining the likes of other APTs like TajMahal, DarkUniverse, and Metador. The group gets its name for its reliance on cloud services like OpenDrive to host malware and for command-and-control (C2).

Windows 10 Installer

Attack chains orchestrated by the adversary typically make use of phishing emails containing lure attachments as the initial intrusion vector, which ultimately lead to the delivery of a malicious payload via an intricate multi-stage sequence.

The malware then proceeds to initiate contact with an actor-controlled C2 server to retrieve additional backdoors capable of stealing files with specific extensions from the breached endpoints.

Attacks observed by Check Point, on the other hand, culminate in a PowerShell-based backdoor called PowerShower, which was first documented by Palo Alto Networks Unit 42 in November 2018.

Some of these intrusions in June 2022 also turned out to be successful, permitting the threat actor to gain full access to the network and use tools like Chocolatey, AnyDesk, and PuTTY to deepen their foothold.

“With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine,” Check Point added.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Prepare for consolidated controls view and consolidated control findings in AWS Security Hub

Next Post

SymphonyAI Summit Achieves Triple G2 Leader Quadrant Status for Winter 2022

Related Posts

Information Security

Temporary elevated access management with IAM Identity Center

by admin
June 9, 2023
Information Security

Don’t panic! These scammers don’t actually have photos of you

by admin
June 9, 2023
Information Security

Microsoft to Pay $20 Million Penalty for Illegally Collecting Kids’ Data on Xbox

by admin
June 8, 2023
Information Security

AWS Security Profile – Cryptography Edition: Valerie Lambert, Senior Software Development Engineer

by admin
June 8, 2023
Information Security

New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency

by admin
June 7, 2023
Next Post

SymphonyAI Summit Achieves Triple G2 Leader Quadrant Status for Winter 2022

Recommended

Temporary elevated access management with IAM Identity Center

June 9, 2023

Don’t panic! These scammers don’t actually have photos of you

June 9, 2023

Illustratenonlinearlogic

June 8, 2023

Microsoft to Pay $20 Million Penalty for Illegally Collecting Kids’ Data on Xbox

June 8, 2023

AWS Security Profile – Cryptography Edition: Valerie Lambert, Senior Software Development Engineer

June 8, 2023

Inflection ~ Future of CIO

June 7, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.