A recently discovered cyber-attack targeting high-profile technology and financial organizations is using a compromised software update mechanism for malware delivery, Microsoft security researchers reveal.
This type of attack isn’t new, as it has been previously used in incidents involving Altair Technologies’ EvLog update process, South Korean software SimDisk’s auto-update mechanism, and the update server used by ESTsoft’s ALZip. The new campaign, however, also employed a series of commodity tools and simple malware, the researchers say.
Through compromising the update mechanism or software supply chain for a third-party editing tool, the actors were able to deploy a piece of malware Microsoft detects as Rivit. This malicious executable would launch PowerShell scripts bundled with the Meterpreter reverse shell, which provided remote attackers with silent control over the compromised machines.
Dubbed Operation WilySupply, this cyber-espionage campaign was discovered in its early stages, before it could do actual harm, Microsoft says. The company has notified the affected parties and the third-party software vendor and worked with them to mitigate potential risks. The well-planned, finely orchestrated cyberattack was so stealth that even the developer of the third-party tool was completely unaware of the issue.
“Although it did not utilize a zero-day exploit, this cyberattack effectively compromised an asset. It took advantage of the common trust relationship with software supply chains and the fact that the attacker has already gained control of the remote update channel,” Elia Florio, Windows Defender Advanced Threat Protection (Windows Defender ATP) Research Team, explains.
Interestingly, only certain machines were affected, while a majority of the possible targets were ignored. This, however, is an indicative of the actors’ intent to focus on the most valuable targets and to keep a low profile.
The commodity tools used in these attacks are typically employed in penetration testing exercises, and allow attackers to evade attribution. The malware binary, named ue.exe, was a small piece of code focused only on launching a Meterpreter shell from a Base64/Gzip encoded blob downloaded using PowerShell.
For network exploration, credential dumping, and lateral movement, the attackers used either native system commands or scripted tools executed only in memory through PowerShell, a technique that has become increasingly popular among cybercriminals.
The techniques, tactics, and procedures (TTPs) observed during the attack included non-persistent, self-destructing initial binary; memory-only payloads; recon activities such as machine enumeration; migration into long-living processes; use of common tools like Mimikatz and Kerberoast to dump hashes; lateral movement using Windows Management Instrumentation (WMI); and persistence through scheduled tasks.
As part of this operation, the attackers used the following network addresses to perform initial network scanning, lateral movement, and command-and-control (C&C) communication: hXXp://184.108.40.206/logo.png and hXXp://220.127.116.11/logo.png. The same addresses were used to download Meterpreter-based payloads as well.
“We believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,” Florio notes.