Microsoft researchers recently uncovered a sophisticated hacking campaign that was serving targeted malware to “several high-profile technology and financial organizations.” The unidentified hackers reportedly compromised a set of third-party editing software tools by injecting malicious code into the programs’ updating mechanism, Windows Defender Advanced Threat Protection research team found.
The recent findings underscore the threat organizations face through vulnerable, third-party applications. In many cases, such applications and services are commonly integrated into a company’s IT infrastructure; widening the attack vector for hackers.
“[A] forensic examination of the Temp folder on [a] affected machine pointed us to a legitimate third-party updater running as service,” a Microsoft blog reads. “The updater downloaded an unsigned, low-prevalence executable right before malicious activity was observed. The downloaded executable turned out to be a malicious binary that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control. The binary is detected by Microsoft as Rivit.”
Rivit is a trojan downloader that allows for a hacker to remotely execute code on a target system.
“It took advantage of the common trust relationship with software supply chains and the fact that the attacker has already gained control of the remote update channel,” researchers wrote. “This generic technique of targeting self-updating software and their infrastructure has played a part in a series of high-profile attacks.”
While these intrusions did not rely on zero-day exploits, the method allowed attacks to effectively compromising specific assets in the supply chain.
There has been several recent, unrelated incidents of hackers hijacking a software program’s native updater to infect a computer network with a virus. The latest case Friday in an incident that affected Altair Technologies’ EvLog product.
The hacking group behind this campaign, dubbed “Operation WilySupply,” is likely “motivated by financial gain,” according to Microsoft.
Private sector cybersecurity firms have seen Rivit trojan downloader be used by cybercrime gangs in Eastern Europe, among other groups.
Microsoft does not provide direct attribution for Operation WilySupply. Though the initial stage of the aforementioned cyberattack appears complex in nature and well-planned, the commodity malware it delivered in the observable cases was relatively basic and common.