HQ/EMEAFind out how we can help your business
Threat actors have exploited a new threat campaign that uses a trojanised Windows 10 Installer to target Ukrainian government agencies. Based on reports, the deployment of this installer is for conducting post-exploitation activities.
The researchers who discovered this attack said it is part of a socially engineered supply chain campaign that started last July. In addition, the threat actors spread these malicious ISO files through Ukrainian and Russian-language Torrent websites.
Upon installation, the malware inside the installer will harvest information and exfiltrate it from the compromised device. These intrusions are not yet attributed to threat actors, but the targeted entities have been the previous victims of a wiper attack from APT28, a Russian-backed threat group.
The threat actors who deployed the trojanised Windows 10 installer targets intelligence and information within an infected device.
Analysts claimed that the main objective of the threat actors in deploying the trojanised Windows 10 installer is to gather information from the infected machine. There are also malicious implants that the actors deployed to the device.
However, these implants are only activated after the malware has conducted an initial survey of the infected device to identify if it holds valuable intelligence.
These implants include an open-source proxy tool, Stowaway, SPAREPART, and Cobalt Strike Beacon. In addition, a small-sized backdoor programmed in C allows the threat actor to run commands, collect data, capture screenshots, record keystrokes, and transfer the information to a separate server.
Sometimes, the attackers tried downloading the TOR anonymity search engine onto the compromised device. However, the researchers do not know the reason behind the download, but some experts claim that it is another strategy of the attackers to exfiltrate data.
Lastly, the SPAREPART implant is believed by researchers to be a redundant malware launched by attackers to establish remote access to the compromised system if the other method of the attack fails.
Cybersecurity experts noted that the operators of this trojanised Windows 10 installer are very cautious in deploying their malware since they are carefully navigating and bypassing security solutions.
Therefore, government entities should avoid downloading or installing from untrusted sources since threat actors have now trojanised legitimate-looking entities.
