Fake Installer Bypasses Windows Security Defenses
Attackers have created a malicious version of RVTools, a legitimate VMware administration tool, using a valid Sectigo digital certificate to evade Windows SmartScreen protections. The bogus installer is signed under a shell company named Xiamen Lunwei Huage Network Co., Ltd., making it appear authentic to enterprise administrators who routinely run signed administrative software. Since the certificate was valid at delivery time, standard endpoint controls did not flag the file as suspicious.
Researchers at K7 Security Labs identified the campaign and detailed how the fake setup file drops a hidden VBScript upon execution. The script initiates a three stage attack chain involving system reconnaissance and the deployment of a remote access trojan. The malware establishes a persistent backdoor that communicates with a command and control server every five minutes, giving attackers ongoing access to compromised systems.
Enterprise Risk and Limited Protection
RVTools is widely deployed in enterprise environments where IT administrators with high level domain credentials use it daily to manage virtual infrastructure. A compromised admin workstation through this vector effectively hands over the entire virtualized environment to attackers. While Sectigo has since revoked the certificate, this only helps environments that enforce real time certificate checks at execution time. Organizations relying solely on static signature verification would still have no way to distinguish the tampered installer from the legitimate tool until after execution.
The attack exploits the implicit trust organizations place in signed binaries combined with standard end user license agreements. Security teams should review their code signing validation policies and consider implementing runtime certificate verification for administrative tools to defend against similar supply chain style attacks.
Source: Cyber Security News
