🎯Basically, a type of software is turning off antivirus programs on thousands of computers.
What Happened
A significant signed adware operation has been discovered, linked to a company named Dragon Boss Solutions LLC. This operation has reportedly disabled antivirus products on more than 23,000 endpoints globally. The campaign was uncovered by Huntress, which revealed that the attackers used a legitimate code-signing certificate to deploy a malicious PowerShell payload.
How It Works
The malware employs an off-the-shelf update mechanism to deliver its payload. Upon execution, it systematically kills, uninstalls, and blocks the reinstallation of various security tools, including those from Malwarebytes, Kaspersky, McAfee, and ESET. The attack chain begins by checking for administrative privileges and detecting virtual machines, ensuring that it can operate undetected.
Attack Mechanism
Once the payload is delivered, it establishes multiple scheduled tasks and Windows Management Instrumentation (WMI) event subscriptions to maintain persistence. The malware is designed to kill any matching antivirus processes every 100 milliseconds during the boot process, effectively neutralizing security measures before they can initialize. It also modifies the Windows hosts file to prevent antivirus updates from reaching their servers.
Who's Being Targeted
The operation has a wide-reaching impact, with infections reported in 124 countries. The United States accounts for about 54% of the connections, followed by France, Canada, the UK, and Germany. Notably, the malware has infiltrated high-value networks, including:
221 universities and colleges
41 operational technology networks
35 government entities
Three healthcare organizations
What Data Was Exposed
While the immediate payload is focused on disabling antivirus software, the underlying infrastructure could potentially deliver various malicious payloads. This raises concerns that the operation could pivot to more severe threats, such as ransomware, cryptomining, or data theft, once antivirus defenses are neutralized.
What You Should Do
Organizations should take immediate action to mitigate risks associated with this operation. Recommended steps include:
Detection
- 1.Audit systems for unauthorized software and processes.
- 2.Ensure antivirus solutions are up-to-date and functioning correctly.
Removal
- 3.Implement network monitoring to detect unusual activity.
- 4.Educate employees about potential phishing attempts that may facilitate such attacks.
Conclusion
The discovery of this adware operation highlights the evolving landscape of malware threats. As attackers leverage legitimate tools and methods to bypass security measures, organizations must remain vigilant and proactive in their cybersecurity strategies.
🔒 Pro insight: The use of legitimate code-signing certificates in this campaign underscores the need for stricter verification processes for software updates.
