Microsoft’s Windows warning: Hackers hijacked software updater with in-memory malware

windows 10 hero gif

5b-windows-defender-atp-detecting-anomalous-updater-behavior.png

Microsoft has shown how Windows Defender ATP detected anomalous updater behavior.


Image: Microsoft

Microsoft is warning software vendors to protect their updater processes after discovering a “well-planned, finely orchestrated” attack that hijacked an unnamed editing tool’s software supply chain.

As Microsoft’s threat response group explains, the attackers used the update mechanism of a popular but unnamed piece of editing software to gain a foothold in several high-profile technology and financial organizations. The software vendor itself was also under attack, it says.

ADVERTISEMENT

The espionage campaign, dubbed WilySupply by Microsoft, is likely to be financially motivated and target updaters to reach mostly finance and payment-industry firms.

In this case, they used the updater to deliver an “unsigned, low-prevalence executable” before scanning the victim’s network and establishing remote access.

Attacking the update process of trusted software is a nifty side door for attackers, since users rely on the mechanism to receive valid updates and patches.

Microsoft notes the same technique has been used in a number of attacks, such as a 2013 breach of several South Korean organizations via a malicious version of an installer from storage service SimDisk.

Attackers have the added benefit of access to free open-source pen-testing tools like Evil Grade, which helps exploit faulty update implementations to inject bogus software updates. As Microsoft notes, WilySupply did just this, shielding the attackers from attribution through unique tactics and tools.

The other pen-testing tool the attackers used was Meterpreter, the in-memory component of the Metaplsoit framework.

“The downloaded executable turned out to be a malicious binary that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control. The binary is detected by Microsoft as Rivit,” Microsoft notes.

Despite the reliance on commodity tools, Microsoft notes a few traits typical of advanced attackers, including the use of self-destructing initial binary, and a memory-only or fileless payload to evade antivirus detection.

Security firm Kaspersky in February reported a rise of in-memory malware attacks on banks across the globe, with attackers using Meterpreter and standard Windows utilities to carry out the attacks. As the company noted, the URL responsible for downloading Meterpreter was “adobeupdates.sytes[.]net”.

Microsoft traced the source of infections at customer sites to the compromised updater with Windows Defender Advanced Threat Protection (ATP) console, its Windows 10 security feature for containing and investigating malware outbreaks.

“By utilizing the timeline and process-tree views in the Windows Defender ATP console, we were able to identify the process responsible for the malicious activities and pinpoint exactly when they occurred. We traced these activities to an updater for the editing tool,” says Microsoft.

“Forensic examination of the Temp folder on the affected machine pointed us to a legitimate third-party updater running as service. The updater downloaded an unsigned, low-prevalence executable right before malicious activity was observed.”

Read more on Windows security

(via PCMag)


Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Just in:
Gulf’s Mega‑Fund Exits Bank of America Stake // ISCA and SHICPA Sign MOU to Strengthen Support for Accountancy Professionals and Firms in Shanghai // Iran’s Oil Surge Defies Conflict and Sanctions // Jurassic World: The Experience Roars Into Bangkok – 8 August 2025 At Asiatique The Riverfront Destination // Dubai Ultra‑Luxury Property Boom Shows No Slowdown // UAE Authority Rejects Claims of Lifetime Golden Visa // Proscenic Launches Major Prime Day 2025 Sale with Up to 40% Off Best-Selling Vacuums Starting at €89 // XI BRICS no show: Strategic shift or silent warning? // European Luxury Faces China Demand Dip, Seeks New Growth Drivers // Boutique Dining Giant Tashas Accelerates Global Roll‑Out // DHL reaffirms commitment to Malaysia’s economic growth, identifies opportunities through Strategy 2030 // What Should You Look Out for While Searching for the Best Creative Agency in Dubai? // PROPEL with Singlife Wins Prestigious ‘Insurtech Initiative of the Year’ at the 10th Insurance Asia Awards // Rhenus 4PL Solutions Brings Digital Logistics Expertise Support To The Circular Economy Initiative Of Looper Textile Co. And REMONDIS // Abu Dhabi Chamber’s new strategy helps membership grow to 157,207 // Bitcoin Supply on Exchanges Drops to Multi‑Year Low // Digital Toro: Lamborghini’s Temerario Charges into Metaverse // Sri Lankan equities are an Asian frontier market money gusher! // Parsons to Steer Dubai Metro Blue Line Rollout // Now an AI Agent that Crafts AI Agents //