Microsoft has warned software companies to better protect their updater processes after discovering a highly "well-planned and orchestrated" attack that destroyed an unnamed software update service.
As the Microsoft Threats Team explains, the attackers used the update mechanism of a popular application to access several high-profile technology and financial organizations. According to Microsoft and the software development company itself was under attack.
The spy campaign, named WilySupply by Microsoft, is likely to have financial incentives and targets updaters to reach out primarily to finance and payment companies.
In this case, they used the updater to install an “unsigned low-prevalence executable” to scan the network of the victim by installing remote access.
Such an attack on the update process of a trusted software is a clever side door for attackers, as the users they use the mechanism to get valid updates.
Microsoft notes that itself technique it has been used in various attacks, such as the 2013 breaches of South Korean companies via a malicious version of a SimDisk installer.
The attackers are reportedly using free, open-source tools code, such as Evil Grade, which helps in exploiting faulty update applications to inject fake updates. As Microsoft notes, WilySupply did just that, protecting the identity of the attackers.
The other tool used by the attackers was the Meterpreter, the component of the Metaplsoit framework.
"The executable file turned out to be one malicious binary running PowerShell scripts with the Meterpreter reverse shell, which silently granted remote control to the attacker. The binary was identified by Microsoft as “Rivit.”
"Using the timeline views and processing trees in the Windows Defender ATP console, we were able to identify the process that was responsible for the malicious activity and pinpoint their appearance. "We detected these activities in an editing software update," says Microsoft.
"The forensic examination of the Temp file on the infected machine showed us a legitimate third-party updater running as a service."
Updater uploaded an unsupported executable low-prevalence file before malicious activity was observed.