Fake software update carries users to get hit by malware

Share this…

Cyber-criminals used compromised websites to distribute malware under the guise of updates to popular applications, including Adobe Flash, Chrome and FireFox. Information security training researchers find out that in several cases, the legitimate remote access tool (RAT) of NetSupport Manager was distributed through updates.

NetSupport Manager is a legitimate, commercially available tool used by administrators to remotely access users’ computers. But hackers have taken advantage of this tool by installing it on victim’s computers.


According to a post, attackers distribute the tool through hacked sites and disguise it as updates to popular applications. If a user installs an update, a malicious JavaScript file is downloaded to their device.

The malware collects system information and sends it to a C&C server. After receiving further commands from the server, it then executes another JavaScript file to deliver the final payload.

The malware’s developers have used several levels of obfuscation to the original JavaScript file and attempted to complicate the analysis of the second JavaScript file.

Moreover, the JavaScript file initiates a connection to the C&C server and sends the tid value with the current date of the system in an encrypted format. The script then decrypts the server’s response and executes it as a function called step2.

This function collects various system information; such as architecture, computer name, user name, processor, OS, domain, manufacturer, model, BIOS version, security solutions, MAC address, keyboard, display controller configuration, and process list. In response, the server sends a function called step3 and a file called Update.js, which in turn loads and executes the final malicious payload.

The malware also uses PowerShell commands to download files from the server, including a standalone 7zip executable file that contains a remote access tool, and a batch script for installing the NetSupport client on the system.

The script can also disable Windows error reporting and application compatibility, adding the executable file to the list of allowed programs, downloading the shortcut to the Startup folder, hiding specific files, deleting artifacts.

By using NetSupport Manager, attackers can gain remote access to hacked systems, launch applications, receive location data, and steal system information.

Information security training researchers added that the JavaScript file also loads a txt file containing a list of IP addresses that can be hacked. These IP addresses are located mainly in the US, Germany and the Netherlands.

“RATs are widely used for legitimate purposes, often by system administrators. However, since they are legitimate applications and readily available, malware authors can easily abuse them and sometimes can avoid user suspicion as well,” said Sudhanshu Dubey, information security training researcher at Fireeye.

“We recently spoke about the UDPoS malware, a family which is consistently disguised as a software update to important system and administration software. Overall, the technique is probably about halfway up the clever spectrum: it’s been around for quite some time and it couldn’t be described as particularly innovative in modern times, but end-users are very used to seeing and accepting prompts for software updates to the point where many experience ‘update request fatigue’. Malicious actors don’t need to innovate or change lure techniques when their existing tricks continue to be effective,” he said.

Barry Shteiman, director of Threat Research at Exabeam, told that organisations need to be able to detect unusual activity from valid machines and users, which is why behavioural analytics has grown so quickly over the last couple of years.