Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

Downloading a copy of Windows from shady online sources is never a good idea, but it was even more dangerous in Ukraine recently. Cybersecurity firm Mandiant identified a trojanized version of Windows 10 being distributed online, and it was modified specifically to gain access to Ukrainian computer systems. While there are no clear fingerprints on the malicious ISO, Mandiant notes the targets overlap with previous operations from Russia’s security services.

The Windows installer purports to be a 64-bit build of Windows 10, labeled “Win10_21H2_Ukrainian_x64.iso.” It uses the Ukrainian language pack and was distributed primarily on toloka.to, a torrent tracker that focuses on Ukrainian users. It also appeared on a Russian torrent tracker. It seems likely this malware campaign is connected to the ongoing war in Ukraine.

According to Mandiant, the campaign doesn’t appear to have any financial motive — there are no ransomware installers or crypto miners to be seen. Although, distributing a Windows ISO isn’t the most efficient way to get these malicious packages onto machines. It is, however, useful if you want complete access to a system with the ability to install additional malware packages when you find a juicy target. The way these additional tools were deployed led Mandiant to suspect Russia’s GRU spy agency and government-backed hacking groups like APT28.

Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

Installing the malicious ISO will get you what appears to be a fully functional version of Windows 10, but the underlying code has been modified in several vital ways. For one, it doesn’t send security telemetry back to Microsoft as a regular build of Windows does. After installation, embedded tools scan the system for useful information via scheduled and modified system tasks. That data is then sent to a remote server. Some installations were also loaded with additional malware tools after installation, suggesting these targets were of particular interest to the hackers.

Mandiant identified several machines running the infected Windows version inside Ukrainian government networks. The machines began communicating with operators via an encrypted TOR tunnel in July 2022. This is a new kind of attack and one that we may see more often as the conflict in Ukraine drags on. Unlike many malware campaigns, this one is easy to avoid. Just don’t download sketchy versions of Windows from torrent sites. Microsoft will actually let you download Windows ISOs directly from the source these days.

Continue reading

Hacker Infiltrates FBI Portal, Lists Details of 87,000 Users for Sale
Hacker Infiltrates FBI Portal, Lists Details of 87,000 Users for Sale

The contact and Social Security details for tens of thousands of "high profile" people now have a $50,000 price tag.