Microsoft says “Lock down your software supply chain before the malware scum get in”

Microsoft says “Lock down your software supply chain before the malware scum get in”

A stealthy attack code has been spotted going after payment systems.

Published on 31st May 2017

Microsoft’s security team is urging developers to shore up their software update systems – after catching miscreants hijacking an editing application’s download channels to inject malware into victims’ PCs.

In a security advisory, Redmond’s infosec gurus describe Operation WilySupply: their mission to find, isolate and destroy an unusual and highly targeted form of malicious code that was hiding in the software update mechanism of a widely used, and unnamed, editing tool.

Microsoft thinks that the attackers found a flaw in the application’s upgrade system that allowed them to send unsigned updates to Windows machines to install. A 132-byte binary called ue.exe was dispatched to some victims’ computers: this fired off PowerShell scripts and Meterpreter to fetch and run the Rivit trojan.

This wasn’t the usual spray-and-pray malware attack. The initial infection via this update channel was highly selective and only affected specific computers run by finance and payment companies. After it had delivered the payload, the ue.exe program instantly deleted itself to avoid detection.

“While the attack itself, including the selection of targets, appears to have been carefully planned, the attacker toolset comprised commodity tools and simple malware,” the advisory states. “These commodity tools are the same tools used in typical penetration testing exercises.”

Microsoft believes the purpose of the attack was to siphon organizations’ cash into crooks’ pockets, which would account for the camouflage techniques. The Windows giant has now added routines to detect similar infections to its operating system’s antivirus tools.

However, it’s going to be up to software developers to truly lock down this method of attack. Redmond recommends fully encrypting supply channels, enforcing code signing, perhaps adding two-factor authentication for critical stuff, and checking logs frequently.


The latest updates straight to your inbox

We just need a few details to get you subscribed

Health Checks

Inventory & Compliance

Cloud Readiness & Optimisation

Agreement & Audit Support


Looking for something specific?

Let's see what we can find - just type in what you're after

Wait! Before you go

Have you signed up to our newsletter yet?

It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!

Cookie Notice

Our website uses cookies to ensure you have the best experience while you're here.