Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.
Mandiant, which discovered the “socially engineered supply chain” attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It’s tracking the threat cluster as UNC4166.
“Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it,” the cybersecurity company said in a technical deep dive published Thursday.
Although the adversarial collective’s provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor.
The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, as well as block automatic updates and license verification.
images from Hacker News