Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.
Mandiant, which discovered the “socially engineered supply chain” attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It’s tracking the threat cluster as UNC4166.
“Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it,” the cybersecurity company said in a technical deep dive published Thursday.
Although the adversarial collective’s provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor.
The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, as well as block automatic updates and license verification.
The primary goal of the operation appears to have been information gathering, with additional implants deployed to the machines, but only after conducting an initial reconnaissance of the compromised environment to determine if it contains the intelligence of value.
These included Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor programmed in C, enabling the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the information to a remote server.
In some instances, the adversary attempted to download the TOR anonymity browser onto the victim’s device. While the exact reason for this action is not clear, it’s suspected that it may have served as an alternative exfiltration route.
SPAREPART, as the name implies, is assessed to be a redundant malware deployed to maintain remote access to the system should the other methods fail. It’s also functionally identical to the PowerShell backdoors dropped early on in the attack chain.
“The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest,” Mandiant said.
Cloud Atlas Strikes Russia and Belarus
The findings come as Check Point and Positive Technologies disclosed attacks staged by an espionage group dubbed Cloud Atlas against the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia as part of a persistent campaign.
The hacking crew, active since 2014, has a track record of attacking entities in Eastern Europe and Central Asia. But the outbreak of the Russo-Ukrainian war earlier this February has led to it shifting its attention to organizations in Russia, Belarus, and Transnistria.
“The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions,” Check Point said in an analysis last week.
Cloud Atlas, also called Clean Ursa, Inception, Oxygen, and Red October, remains unattributed to date, joining the likes of other APTs like TajMahal, DarkUniverse, and Metador. The group gets its name for its reliance on cloud services like CloudMe and OpenDrive to host malware and for command-and-control (C2).
Attack chains orchestrated by the adversary typically make use of phishing emails containing lure attachments as the initial intrusion vector, which ultimately lead to the delivery of a malicious payload via an intricate multi-stage sequence.
The malware then proceeds to initiate contact with an actor-controlled C2 server to retrieve additional backdoors capable of stealing files with specific extensions from the breached endpoints.
Attacks observed by Check Point, on the other hand, culminate in a PowerShell-based backdoor referred to as PowerShower, which was first documented by Palo Alto Networks Unit 42 in November 2018.
Some of these intrusions in June 2022 also turned out to be successful, permitting the threat actor to gain full access to the network and use tools like Chocolatey, AnyDesk, and PuTTY to deepen their foothold.
“With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine,” Check Point added.