Stealthy attack code spotted going after payment systems
Microsoft’s security team is urging developers to shore up their software update systems – after catching miscreants hijacking an editing application’s download channels to inject malware into victims’ PCs.
In a security advisory, Redmond’s infosec gurus describe Operation WilySupply: their mission to find, isolate and destroy an unusual and highly targeted form of malicious code that was hiding in the software update mechanism of a widely used, and unnamed, editing tool.
Microsoft thinks that the attackers found a flaw in the application’s upgrade system that allowed them to send unsigned updates to Windows machines to install. A 132-byte binary called ue.exe was dispatched to some victims’ computers: this fired off PowerShell scripts and Meterpreter to fetch and run the Rivit trojan.
This wasn’t the usual spray-and-pray malware attack. The initial infection via this update channel was highly selective and only affected specific computers run by finance and payment companies. After it had delivered the payload, the ue.exe program instantly deleted itself to avoid detection.
“While the attack itself, including the selection of targets, appears to have been carefully planned, the attacker toolset comprised commodity tools and simple malware,” the advisory states. “These commodity tools are the same tools used in typical penetration testing exercises.”
Microsoft believes the purpose of the attack was to siphon organizations’ cash into crooks’ pockets, which would account for the camouflage techniques. The Windows giant has now added routines to detect similar infections to its operating system’s antivirus tools.
However, it’s going to be up to software developers to truly lock down this method of attack. Redmond recommends fully encrypting supply channels, enforcing code signing, perhaps adding two-factor authentication for critical stuff, and checking logs frequently.