Cybersecurity provider Huntress has identified a major security threat. What appeared to be an unassuming potentially unwanted program (PUP) has transformed into a threat that can disable antivirus systems and put thousands of endpoints at risk.
As mentioned in a recent blog, the cyberattack involves the signing of an application via Dragon Boss Solutions, which researchers term adware. The software uses an apparently legitimate update service to download and run a malicious payload that has been quietly disarming antivirus tools on endpoints around the world, including universities, government agencies, power utilities, hospitals, and Fortune 500 companies.
This malware was first spotted in March when some unusual events associated with adware turned out to be a multi-stage attack. The attackers used system-level privileges, scheduled tasks, and WMI-based persistence to achieve their objectives.
The researchers found more than 25,000 affected endpoints that connected to the infrastructure. Significantly, the update mechanism relied on unregistered domains, meaning an attacker could acquire one and distribute code via compromised computers, thereby turning the incident into a supply-chain attack.
The attack infrastructure was waiting for anyone to claim an unregistered domain baked into the malware’s update mechanism. Whoever registered it could push any payload – ransomware, cryptominers, spyware – to every infected machine, silently, with no user interaction required, and with antivirus already disabled.
To mitigate this threat, Huntress registered the domains and rerouted the traffic to the sinkhole, avoiding any further damage. Still, Huntress warned that this same infrastructure could be abused for distributing ransomware or infostealer malware packages as well.
These results reveal an increasing phenomenon that even benign software groups, such as PUPs, can become an entry point for much more serious infections. The researchers warn that what starts out as simple adware can turn into total system hijacking when system update mechanisms are manipulated.
The full research is available here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.