Trojaned Windows Installer Targets Ukraine

Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system:

Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.

One obvious solution would be for Microsoft to give the Ukrainians Windows licenses, so they don’t have to get their software from sketchy torrent sites.

Tags: , , , , ,

Posted on December 20, 2022 at 7:30 AM13 Comments

Comments

stephen December 20, 2022 7:53 AM

Or, the Ukrainians could leverage Linux, instead of relying on software and the charity of one monopolistic company.

Clive Robinson December 20, 2022 8:29 AM

@ Bruce, ALL,

Side Note : Although not directly connected to this “supply chain” attack, it’s been noted that 2022 has been the year of “Signed Driver” supply chain attacks,

https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/

Oh and an update on “Azov” the fake Ransomware loosly designed to look like it came from the Ukraine but did not (it has the hallmarks of some “old School” Russian virus writer going back decades).

https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/

lurker December 20, 2022 1:43 PM

@dorukayhan
That page seems to assume a valid licence for an earlier version of Windows. MS’s insistence on hardware vendor installs, and its outrageous prices for standalone intallers for white box machines, has always made it easy for the purveyors of the trojanned cracked iso.

@stephen
Linux is all well and good, until you have to deal with files or foreign correspondents who insist on using some MS format. Wine is perpetually “not quite there yet”. Where do you get an affordable Windows installer for a VM?

Arclight December 20, 2022 2:17 PM

Also, you can just download Windows images directly from Microsoft. Even if you purchase license keys from a questionable source (such as an e-waste recycler or refurbisher), you can just install from clean media and not worry about about the binaries. In this case, the worst possible outcome is that Windows doesn’t activate.

Ted December 20, 2022 4:14 PM

“The use of trojanized ISOs is novel in espionage operations”

Really? That surprises me a little bit.

It was interesting to see how the ISO was altered. Two legitimate tasks were modified with additional instructions. The trojanized ISO also contains an original batch script that does several things, including disabling Windows updates and activating a Windows license.

Mandiant reported that three Ukrainian organizations were targeted for follow on activity following an installation. They don’t say anything about the details of these installations.

Ismar December 21, 2022 3:53 AM

&Clive- reading the article- I don’t think any rootkits were used, rather some post-installation tasks were used to disable / hijack some of the windows functionality to exploit the machines.
You are really asking for it, though, if installing from torrents

Clive Robinson December 21, 2022 9:10 AM

@ Ismar,

“reading the article”

Which one?

@Bruce posted links to one article (Mandiant), and I posted two links to related stories (from Sophos and Checkpoint).

Dex January 15, 2023 6:44 AM

Sure, give them free Microsoft licenses. We’ve already given them billions of dollars, the UK’s giving them tanks, and unlike me, they have eggs.

This is pretty funny considering the other snippet about instructions on surrending to a drone.

I know Bruce has gone off the deep end, gulping the koolaid, but come on.

tl;dr No, American businesses shouldn’t give free licenses to nations which aren’t even are allies, who have crappy cyber policies.

And no one should voluntarily run Windows 10 or 11 any way. Sure, linux sucks, but it’d solve this problem.

Clive Robinson January 15, 2023 9:25 AM

@ Dex,

Re : Ukraine

“to nations which aren’t even are allies”

You might want to have a think on that claim.

The Ukraine was a nation with a lot of Russian nuclear technology including weapons it had inherited, that they did not want. As although they had the technical abilities to maintain them they did not want the problems associated with the badly designed and rapidly aging Russian technology, and after the Russian stupidity that gave them the Chernobyl who could blaim them.

The only reason Ukrain had for keeping the Russian nukes was to keep Russia away from the door. When the UK and US were running around on their “War against Terrorism” buying up old Russian nukes in old ex soviet states and wanted the Ukrainians to give the nuclear weapons back to Russia, both the UK and US entered into legaly ratified international agreament to defend the Ukraine from Russia. Which they failed to honour with the Crimea etc invasions thus actively acted against the Ukranians.

Those agreaments de jour made the Ukraine alies of the UK and US. It’s well known that the Ukraine was trying to not just join the EU, but NATO as well, and were moving down the path as quickly as they were alowed to.

It was however US Politicians in the Republican Party who were struting around to Putin’s “Strong Man” Rhetoric and likewise UK Tory Politicians along with the idiocy of Germans falling for Putin’s fake history stories that put the breaks on the Ukraine becoming fully fledged members of both the EU and NATO.

So the question you should ask yourself is not if the Ukrainians were US alies but did the UK and US honour their promises to the Ukranians?

The answer is of course that Putin had with his faux histories and strong man nonsense so enamoured politicians in the US and UK they were more than happy to just let Putin unlawfully use Russia forces to invade the Ukraine…

Oh by the way if you check you will also find that Putin and his cleaque had said that the Ukrain was just the start of their teritorial desires, he wants most if not all of Europe under his control, and those UK and US politicians just happily nodded along to the strong man rhetoric. Whilst the Germans were busily warming themselves against the fires very cheap Russian gas being “illegally” brought into the EU were giving them, which had very significant negative economic impact against the Ukraine.

Oh and have a think about why Turkey is not going to give up those nukes the US loaned them. Because they’ve known very clearly that they are about the only thing stopping Putin and Co attacking Turkey to grab the territory that Russia once held (see history of the Otaman and why Cyprus and other areas fell under British “protectorate” status).

Basically Putin’s argument, is if a Russian foot ever trod anywhere or he can pretend it did then that makes it Russian territory for ever and he is going to take it back by force. Which if you think about it includes Alaska and quite a large part of Canada. And this was the “strong man” that UK and US politicians qued up to so admire… Whilst ignoring or evading the de jur obligations they had entered into with the Ukraine.

Winter January 15, 2023 1:57 PM

@Clive

Germans falling for Putin’s fake history stories that put the breaks on the Ukraine becoming fully fledged members of both the EU and NATO.

You seem to have forgotten that Ukraine was a very unstable country with a level of corruption that would make Bulgarians blush. But since Maydan, things have evolved in a breathtaking pace. Even Ukrainians were surprised by their own compatriots.

With the problems of Romania and Bulgaria in mind, the hesitations and worries in the EU are understandable. And no one thought Putin would be this stupid.

But, Ukraine now are a very different people from Ukraine in 2014.

Clive Robinson January 15, 2023 6:57 PM

@ Winter,

“You seem to have forgotten that Ukraine was a very unstable country with a level of corruption that would make Bulgarians blush.”

It was a subject I had not forgotton, but wanted to avoid, as it has like the brown stuff that hits the fan the ability to attract flys (as can be seen currently on another thread).

To try to limit the stink, lets just say that as with Belarus the corruption was “at the top” and was assisted by another corrupt uper crust.

The difference was what happened when the ordinary people pushed back. In Belarus they failed as their “strong man” went blubering to his backer across the boarder, who then propped him up with “support”.

In the Ukraine it went differently, as their “strong man” scurried across the boarder boo-hooing rather than wait for support.

Lets just say even in the far East of the Ukraine the “grass roots support” for the “strong men” was not thick on the ground, thus crack military units invaded pretending to be “grass roots” but were effectively their to form puppet faux governments to do the “strong mans” bidding.

We can now start our stop-watches to see how long it takes for the flies to buz.

Dex January 15, 2023 10:32 PM

@ Clive, I typed a long post in response to you, and it doesn’t seem to have come through, so instead of typing it all again, I wanted to make sure you knew I appreciate your perspective on what we’re doing in the Ukraine. Cheers.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.