White Hat Institute

Compromising operating systems through fake software updates

As computer users become more virus-aware, malware authors are now attempting to dupe users into downloading their malicious software by masking it as a legitimate software update. Most users are aware that it is important to keep computer applications up to date in order to avoid being a victim of malware.

 framework can perform security auditing of operating systems by recreating Man in the Middle (MITM) assault. The assault works in situations where the assailant has DNS access and spoofing abilities. Evilgrade utilizes ineffectively updated framework utilities as an assault vector. A portion of the regular utilities upheld by Evilgrade incorporates Notepad++, Ccleaner, Teamviewer, Virtualbox, Filezilla, Skype, and VMware. 

At the point when the client opens one of the inadequately redesigned utilities, Evilgrade sends a (counterfeit) update message to the client through an MITM assault. The message contains a payload that generates indirect access to the objective framework. If the client installs the updates, a backdoor will be downloaded on the target system that can be abused remotely through programs like Metasploit.

Download evilgrade using the  command from the following GitHub link: https://github.com/infobyte/evilgrade.

Then go to downloads and double click to un-compress it. Evilgrade requires the following packages to operate, open a terminal, and run the following commands:

Latest Kali Linux releases come pre-installed with “”, and it is much stable. If you don’t have it, then run the following command on the terminal to install it.

When you launch the tool the first time, it should work fine, but sometimes it might display an error about Gnu.pm. It is a known bug with evilgrade; if it’s annoying you, then you can get rid of it by using the following command  Just make sure you reinstall it after you’re done in case it is needed by other tools; 

To start Evilgrade, navigate to the framework’s directory and type the following command 

Evilgrade, fake software updates

Once the evilgrade starts, we can view all modules representing the attack vector utilities.

Evilgrade 2

Let’s assume that our target runs an  We will try to hijack the function of the browser and redirect the site to the attacker’s preferred location, where he/she can download a malicious executable.

To select a program to configure type  then type  to view all possible options that need to be configured. To configure options, use the  command, then specify the option and put the value related to that option.

So, here we set the option called  and provided the exact location of our executable file.

Evilgrade 3

Now we need to make a basic DNS spoofing attack and redirect  to evilgrade. Let’s start by configuring the  file. To do so, type To escape any conflicts related to DNS, we need to change the port number from 53 to 5353, because evilgrade runs on port 53. Then we need to add the virtual host address of Opera in the record, as shown in the screenshot below. This address needs to be spoofed to redirect the users to the attacker’s machine for getting fake updates.

Evilgrade 4

Let’s start a DNS spoof with mitmf, and at the same time, let’s run msfconsole to start  for listening to incoming connections. In this particular case, we will use an exploit called  with the help of a payload called  This attack method will create a reverse connection from the target computer to the attacker’s computer.

Evilgrade 5

To start msfconsole, type  in the new terminal.

Evilgrade 6

Once the program launches, use the exploit by typing Then we need to set the payload according to the backdoor we’ve created using Veil-Evasion. In this case, we created the backdoor related to “ targeting the Windows devices, so the payload should be set to  To set the payload type To show all available options that need to be set type 

Evilgrade 7

Now set the  options to Kali machines IP address and  to the port that your backdoor will run then start the attack by typing 

Evilgrade 8

When the user opens an outdated Opera application on the target machine, an update message will pop up on the victim’s screen. If the user continues with the update, a meterpreter session will start in the window, enabling the assailant to take over the victim’s machine. From this point, you may perform any attack that the meterpreter allows.

Evilgrade 9


This method is not super reliable, and from time to time, you may encounter some errors. In this case, we need to add two lines in the evilgrade file to make it run without any issues. Open the evilgrade executable file with a file editor and type  to the first line and  to the second line, then save and exit. It should overcome some of the problems.

Evilgrade 10

Evilgrade is a solid platform with a number of modules that can create fake updates and inject them into target hosts quite cleverly. The position of Evilgrade, on the other hand, is secondary. To make the tool work, you must first control the DNS traffic. Another disadvantage of the method is that it can only be used for applications and devices that do not need digital certificates for authentication.

Email should always be treated with caution. Also, the most powerful spam filters are only 95% effective. Don’t click on a download link unless you’re looking for one. Infected ads that appear on legitimate websites are the most common source of malicious pop-ups. These websites accept ad rotations from a number of providers, which can be difficult to manage. Close the window and go to the software publisher’s website to search for updates if you’re not sure. It is often preferable to be secure rather than sorry.