The attackers mostly targeted organizations in the finance and payment industries.
“An unknown attacker was taking advantage of a silent yet effective attack vector: the compromised update mechanism or software supply chain for a third-party editing tool.” wrote Elia Florio, senior security software engineer, with Windows Defender ATP Research Team. “The software vendor that develops the editing tool was unaware of the issue. In fact, while their software supply chain served as a channel for attacking other organizations, they themselves were also under attack.”
Microsoft confirmed that attackers were financially motivated and conducted surgical attacks, but did not provide data on the number of targets.
“We believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries.” added Florio.
Experts at Microsoft discovered the insidious attack vector after a number of machines using the updater were flagged by Windows ATP.
“Windows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,” added Florio.
The analysis of the Temp Folder on one of the infected systems revealed the legitimate third-party updater running as service, anyway, the updater also downloaded an unsigned, low-prevalence executable just before the malicious activity was observed.
“The downloaded executable turned out to be a malicious binary that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control. The binary is detected by Microsoft as Rivit.”
Attackers used the Meterpreter to power in-memory or fileless attacks through in-memory DLL injections.
This isn’t the first time that hackers exploit software remote update channel of the supply chain as an attack vector.
Experts at Microsoft confirmed that the technique was observed in the past in cyber attacks against high-profile targets.
“This generic technique of targeting self-updating software and their infrastructure has played a part in a series of high-profile attacks, such as unrelated incidents targeting Altair Technologies’ EvLog update process, the auto-update mechanism for South Korean software SimDisk, and the update server used by ESTsoft’s ALZip compression application.” continues the post.
Back to the present, experts observed recon activities, including machine enumeration, using standard commands, such as NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI. Hackers also used common tools like Mimikatz and Kerberoast to dump hashes and lateral movement leveraging the Windows Management Instrumentation (WMI).
(Security Affairs – Operation WilySupply, hacking)