The Sandworm hacker group, which is affiliated with Russian security forces, is attacking Windows users in Ukraine using Trojan Microsoft Key Management Service (KMS) activator programs and fake Windows updates. Cyber experts say that the Russians chose this method of attack because of the widespread use of pirated software in Ukraine, even in the state sector.
The Sandworm hacker group, which is affiliated with Russian security forces, is attacking Windows users in Ukraine using Trojan Microsoft Key Management Service (KMS) activator programs and fake Windows updates. Cyber experts say that the Russians chose this method of attack because of the widespread use of pirated software in Ukraine, even in the state sector.
These attacks likely began in late 2023, and now threat analysts at EclecticIQ are linking them to the Sandworm hackers based on overlapping infrastructure, consistent tactics, methods, and procedures (TTPs), and the frequent use of ProtonMail accounts to register domains used in the attacks, Bleeping Computer reports.
The attackers also used the BACKORDER bootloader to deploy the DarkCrystal RAT (DcRAT) malware (used in previous Sandworm attacks) and symbols referring to a Russian-language build environment, further solidifying researchers’ belief that Russian military hackers were involved.
EclecticIQ discovered seven malware distribution campaigns linked to the same cluster of malicious activity, each using similar bait and TTP. Last month, analysts observed attacks in which victims were infected with the DcRAT remote access trojan.
Once deployed on a victim’s device, the KMS Trojan displays a fake Windows activation interface, installs a malware loader, and disables Windows Defender in the background before delivering the final RAT malware.
KMS (Key Management Service) is a service on a Windows server that allows client computers to automatically activate Windows without user intervention. It is typically used in companies and organizations with a large number of Windows-based computers.
KMS activators are hacking programs that allow you to unlock paid functionality of Windows operating systems and Microsoft office programs for free.
The goal of the attackers is to collect sensitive information from infected computers and send it to controlled servers. The malware steals keystrokes, browser cookies, browser history, saved credentials, FTP credentials, system information, and screenshots.
It is noted that Sandworm decided to use malicious Windows activators because of the wide scope for attacks that was opened up by the widespread use of pirated software in Ukraine, «which also affected the government sector of the country».
«Many users, including enterprises and mission-critical organizations, are using pirated software from untrusted sources, providing attackers like Sandworm (APT44) with a great opportunity to embed malware into widely used applications. Such tactics enable large-scale espionage, data theft, and network compromise, which directly threatens Ukraine’s national security, critical infrastructure, and private sector resilience», — EclecticIQ notes.
It was previously reported that one of the documents in the updated draft law on mobilization, which can be downloaded from the Verkhovna Rada website, was likely created in a «hacked» Microsoft Office. This is indicated by its metadata, which mentions Reanimator Extreme Edition.
Sandworm has been operating since at least 2009 and is part of military unit 74455 of the Main Intelligence Directorate (GRU), the Russian military intelligence agency that mainly specializes in carrying out attacks on Ukraine.
They have hacked Ukrainian power grids several times before. In 2022, they combined their cyberattack with missile strikes by the Russian occupiers.
In December 2023, Kyivstar, which has 24 million subscribers, experienced a large-scale outage, causing the operator’s connection and website to be down. Later, Kyivstar’s CPO confirmed a hacker attack on the company. Subscribers who were out of service were promised compensation.
Responsibility for this attack on Kyivstar was claimed by a group of Russian hackers called Solntsepok. They previously attacked Suspilne, providers, and the Ministry of Community Development. CERT-UA previously linked the activities of these hackers to Sandworm.
