Microsoft has warned software companies to better protect its processes updater after the discovery of a very "well-planned and orchestrated" attack that destroyed the update service of an unnamed software.
As the Microsoft Threats Team explains, the attackers used the update mechanism of a popular application to access several high-profile technology and financial organizations. According to Microsoft and the software development company itself was under attack.
The campaign espionages, dubbed WilySupply by Microsoft, is likely to be financially motivated and is targeting updaters to primarily approach finance and payment companies.
In this case, they used the updater to install an "unsigned low prevalence executable file" to scan the victim's network by installing remote access.
Such an attack on the process of updating a trusted software is a smart side port for attackers as users use the mechanism to receive valid updates.
Microsoft notes that the same technique has been used in various attacks, such as the violations committed by South Korean companies 2013 through a malicious version of a SimDisk installer.
Attackers allegedly use free open source tools, such as the Evil Grade, which helps exploit defective update applications for the introduction of false updates. As Microsoft notes, WilySupply did just that, protecting the identity of the attackers.
The other tool that the attackers used was Meterpreter, the memory component of the Metaplsoit framework.
"The executable file turned out to be one malicious binary running PowerShell scripts with the Meterpreter reverse shell, which silently granted remote control to the attacker. The binary was identified by Microsoft as “Rivit.”
“Using the timeline views and processing trees on his ATP console Windows Defender, we were able to identify the process that was responsible for the malicious activities and to pinpoint their occurrence. "We detected these activities in an editing software update," says Microsoft.
"The forensic examination of the Temp file on the infected machine showed us a legitimate third-party updater running as a service."
Updater uploaded an unsupported executable low-prevalence file before malicious activity was observed.