Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
§ Context
Assumed environment: target organisations rely on a niche software vendor with weak security. The vendor publishes updates that the client auto-installs without further validation.
§ Steps
- 01Compromise update server / signing processInitial AccessT1078— Valid Accounts
- 02Push update via vendor channelInitial AccessT1195— Supply Chain Compromise
- 03Customers auto-installExecutionT1204— User Execution
- 04Disk-level destructive payloadImpactT1485— Data Destruction
- 05EternalBlue + Mimikatz worm spreadInitial AccessCVE-ETERNALBLUE— EternalBlue (MS17-010 / CVE-2017-0144)
- 06Build malicious updateInitial AccessAPT-SUPPLIER-UPDATER— Trusted Updater Hijack (NotPetya / M.E.Doc)
§ References
- T1078Valid Accounts
- T1195Supply Chain Compromise
- T1204User Execution
- T1485Data Destruction
§ Frequently asked
- What is the "Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)" attack path?
- Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Compromise update server / signing process (T1078) — a initial access primitive. Assumed environment: target organisations rely on a niche software vendor with weak security.
- What is the final impact of this kill-chain?
- The final step lands on Build malicious update (APT-SUPPLIER-UPDATER), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Industroyer2 IEC-104 substation hijack
Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.
- Shared techniques2
ERC-4337 paymaster sponsor drain
A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.
- Shared techniques2
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
- Shared techniques2
Hardware wallet supply-chain tamper → pre-seeded seed
Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.
- Shared techniques2
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
- Shared techniques2
Output injection → admin XSS in support panel
Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.