Supply Chain Update Software Unknowingly Used in Attacks

Microsoft shuts down hackers who hijacked a software updater with fileless, or in-memory, malware attacks.

Microsoft said a recent attack it calls Operation WilySupply utilized the update mechanism of an unnamed software editing tool to infect targets in the finance and payment industries with in-memory malware.

The unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a report published Thursday.

“While their software supply chain served as a channel for attacking other organizations, they themselves were also under attack,” said Elia Florio, senior security software engineer, with Windows Defender ATP Research Team.

It’s unclear just how many affected parties there were and when the attacks took place. However, Florio said the attacks were selective and purposely went after only the “most valuable targets” in an effort to avoid detection.

“We believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,” Florio wrote.

He said Microsoft began investigating the suspicious activity after computers using the updater were red-flagged by Windows ATP. “Windows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,” Florio wrote.

A forensic analysis of the Temp Folder on one of the targeted systems revealed the legitimate third-party updater running as service. However, closer inspection revealed the updater also had downloaded an unsigned, low-prevalence executable just before the malicious activity was observed, according to Florio.

“The downloaded executable turned out to be a malicious binary (Rivit) that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control,” Florio wrote. “The malware binary, named by the cybercriminals ue.exe, was a small piece of code with the sole purpose of launching a Meterpreter shell.”

Meterpreter is a legitimate pen-testing tool packaged with the Metasploit framework and can be used to carry out in-memory or fileless attacks. Meterpreter attaches itself to a process and is capable of carrying out in-memory DLL injections. It’s one of several open-source tools such as Lazagne that allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary’s control server. In-memory or fileless attacks, Florio said, are a fast growing trend among cybercriminals.

Attackers, Florio said, were taking advantage of the trusted relationship within the context of the software supply chain. The victims were unaware that a malicious third-part had infiltrated the remote update channel of the supply chain.

Self-updating software has been targeted in the past on a number of occasions, points out Microsoft. Unrelated incidents include adversaries targeting Altair Technologies’ EvLog update process, the auto-update mechanism for South Korean software SimDisk and the update server used by ESTsoft’s ALZip compression application, according to researchers.

Noteworthy to the attack was the fact adversaries conducted advanced recon that included qualifying systems with tools such as .NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI, Florio said.

Additional techniques, tactics and procedures Florio noted included; memory-only payloads assisted by PowerShell and Meterpreter running in rundll32; Migration into long-living processes, such as the Windows Printer Spooler or spoolsv.exe; use of common tools like Mimikatz and Kerberoast to dump hashes; ateral movement using Windows Management Instrumentation (WMI), specifically the WMIC /node command; and persistence through scheduled tasks created using SCHTASKS and AT commands.

Tips on protection from such attacks include hardening defenses with strong encryption used in update channels, putting script and configuration files in signed containers and adopting Security Development Lifecycle best practices, according to Florio.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.