Pierluigi Paganini July 28, 2018

Microsoft revealed that hackers attempted to compromise the supply chain of an unnamed maker of PDF software.

The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.

The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.

Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.

The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.

The compromise lasted between January and March 2018, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.

This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.

“A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case.” reads the analysis published by Microsoft.

“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”

The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.

The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.

Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.

Below the multi-tier attack described by Microsoft:

1. Attackers recreated the software partner’s infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server.

The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.

The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.

The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.

Pierluigi Paganini

(Security Affairs – supply chain, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]