Microsoft has warned software companies to better protect their updater processes after discovering a highly "well-planned and orchestrated" attack that destroyed an unnamed software update service.
As the Microsoft Threats Team explains, the attackers used the update mechanism of a popular application to access several high-profile technology and financial organizations. According to Microsoft and the software development company itself was under attack.
The spy campaign, named WilySupply by Microsoft, is likely to have financial incentives and targets updaters to reach out primarily to finance and payment companies.
In this case, they used the updater to install an “unsigned executable archive χαμηλού επιπολασμού” για να σαρώνουν το network of the victim by installing remote access.
Such an attack on the process of updating a trusted software is a smart side port for attackers as users use the mechanism to receive valid updates.
Microsoft notes that the same technique has been used in various attacks, such as the violations committed by South Korean companies 2013 through a malicious version of a SimDisk installer.
Attackers allegedly use free open source tools, such as the Evil Grade, which helps exploit defective update applications for the introduction of false updates. As Microsoft notes, WilySupply did just that, protecting the identity of the attackers.
The other tool the attackers used was Meterpreter, the memory component of Metaplsoit framework.
“The executable turned out to be a malicious binary that ran PowerShell scripts with the Meterpreter reverse shell, which silently granted remote control to the attacker. The binary (binary) was identified by Microsoft as "Rivit."
"Using the timeline views and processing trees in the Windows Defender ATP console, we were able to identify the process that was responsible for the malicious activity and pinpoint their appearance. "We detected these activities in an editing software update," says Microsoft.
“Forensic examination of the infected Temp folder machine, showed us a legitimate third-party updater running as a service.”
Updater uploaded an unsupported executable low-prevalence file before malicious activity was observed.