Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

Downloading a copy of Windows from shady online sources is never a good idea, but it was even more dangerous in Ukraine recently. Cybersecurity firm Mandiant identified a trojanized version of Windows 10 being distributed online, and it was modified specifically to gain access to Ukrainian computer systems. While there are no clear fingerprints on the malicious ISO, Mandiant notes the targets overlap with previous operations from Russia’s security services.

The Windows installer purports to be a 64-bit build of Windows 10, labeled “Win10_21H2_Ukrainian_x64.iso.” It uses the Ukrainian language pack and was distributed primarily on toloka.to, a torrent tracker that focuses on Ukrainian users. It also appeared on a Russian torrent tracker. It seems likely this malware campaign is connected to the ongoing war in Ukraine.

According to Mandiant, the campaign doesn’t appear to have any financial motive — there are no ransomware installers or crypto miners to be seen. Although, distributing a Windows ISO isn’t the most efficient way to get these malicious packages onto machines. It is, however, useful if you want complete access to a system with the ability to install additional malware packages when you find a juicy target. The way these additional tools were deployed led Mandiant to suspect Russia’s GRU spy agency and government-backed hacking groups like APT28.

Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

Installing the malicious ISO will get you what appears to be a fully functional version of Windows 10, but the underlying code has been modified in several vital ways. For one, it doesn’t send security telemetry back to Microsoft as a regular build of Windows does. After installation, embedded tools scan the system for useful information via scheduled and modified system tasks. That data is then sent to a remote server. Some installations were also loaded with additional malware tools after installation, suggesting these targets were of particular interest to the hackers.

Mandiant identified several machines running the infected Windows version inside Ukrainian government networks. The machines began communicating with operators via an encrypted TOR tunnel in July 2022. This is a new kind of attack and one that we may see more often as the conflict in Ukraine drags on. Unlike many malware campaigns, this one is easy to avoid. Just don’t download sketchy versions of Windows from torrent sites. Microsoft will actually let you download Windows ISOs directly from the source these days.

Continue reading

Someone Hacked Ray Tracing Into the SNES
Someone Hacked Ray Tracing Into the SNES

Surely, a game console from the 90s couldn't support ray tracing, right? Wrong. Game developer and engineer Ben Carter hacked ray tracing into the Super NES with a little help from an FPGA dev board.

New ‘Morpheus’ CPU Design Defeats Hundreds of Hackers in DARPA Tests
New ‘Morpheus’ CPU Design Defeats Hundreds of Hackers in DARPA Tests

A new CPU design has won accolades for defeating the hacking efforts of nearly 600 experts during a DARPA challenge. Its approach could help us close side-channel vulnerabilities in the future.

Knee-Deep in the LED: Hackers Get Doom Running on Ikea Smart Bulb
Knee-Deep in the LED: Hackers Get Doom Running on Ikea Smart Bulb

The devices capable of running Doom keep growing. Today's demonstration? Smart bulbs.

Switch Hacker Agrees to Pay Nintendo an Additional $10 million
Switch Hacker Agrees to Pay Nintendo an Additional $10 million

After spending the last few years making and selling Switch modding kits, Bowser has agreed to pay Nintendo $10 million in damages to settle a civil lawsuit. This is in addition to the restitution he was ordered to pay following his criminal conviction.