Ukrainian government agencies have come under cyberattack after their networks were hacked with trojanized ISO files disguised as legitimate Windows installers. The malicious files contained software capable of harvesting data from hacked computers, installing other malware, and transmitting stolen data to cybercriminal-controlled servers.
One of the ISOs distributed by the attackers as part of this campaign was hosted on the Ukrainian torrent tracker toloka[.]to by an anonymous user. According to researchers at Mandiant, this image disables Windows security systems, automatic updates, and license checks.
It is worth noting that the attackers did not try to make money on cyberattacks - the information they stole is hard to monetize, and the payloads do not contain ransomware or cryptominers.
After analyzing several infected devices, Mandiant discovered scheduled tasks installed in mid-July 2022. They are intended to receive commands that are executed through PowerShell.
After initial reconnaissance in the victim's system, hackers deploy Stowaway, Beacon and Sparepart backdoors, allowing them to gain a foothold in the system, execute arbitrary commands and steal valuable user information.
Trojanized images of Windows 10 are distributed through Ukrainian and Russian language torrent trackers. Such a strategy differs from the usual tactics of cyberspies who place payloads on their infrastructure.
While the malicious installers did not specifically target the Ukrainian government, the hackers analyzed infected devices and then attacked those belonging to government employees.