Microsoft has warned software companies to better protect their updater processes after discovering a highly "well-planned and orchestrated" attack that destroyed an unnamed software update service.
As Microsoft's threat response team explains, the attackers used the mechanism informationof a popular application to gain access to several high-profile technology and financial organizations. According to Microsoft, the software developer itself was under attack.
The spy campaign, named WilySupply by Microsoft, is likely to have financial incentives and targets updaters to reach out primarily to finance and payment companies.
In this case, they used the updater to install an "unsigned low prevalence executable file" to scan the victim's network by installing remote access.
Such an attack on the process of updating a trusted software is a smart side port for attackers as users use the mechanism to receive valid updates.
Microsoft notes that the same technique has been used in various attacks, such as the violations committed by South Korean companies 2013 through a malicious version of a SimDisk installer.
Attackers allegedly use free open source tools, such as the Evil Grade, which helps exploit defective update applications for the introduction of false updates. As Microsoft notes, WilySupply did just that, protecting the identity of the attackers.
The other tool used by the attackers was the Meterpreter, the component of the Metaplsoit framework.
"The executable file turned out to be a malicious binary running PowerShell scripts με το Meterpreter reverse shell, which silently granted remote control to the attacker. The binary was identified by Microsoft as “Rivit.”
"Using the timeline views and processing trees in the Windows Defender ATP console, we were able to identify the process that was responsible for the malicious activity and pinpoint their appearance. "We detected these activities in an editing software update," says Microsoft.
"OR forensic examination of the Temp folder on the infected machine showed us a legitimate third-party updater running as a service.”
Updater uploaded an unsupported executable low-prevalence file before malicious activity was observed.