Hacking

Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor

Microsoft revealed that hackers attempted to compromise the supply chain of an unnamed maker of PDF software.

The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.

The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.

Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.

The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.

The compromise lasted between January and March 2018, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.

This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.

“A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case.” reads the analysis published by Microsoft.

“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”

The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.

The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.

Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.

Below the multi-tier attack described by Microsoft:

  1. Attackers recreated the software partner’s infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server.

The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.

The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.

The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – supply chain, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Texas oilfield supplier Newpark Resources suffered a ransomware attack

Texas oilfield supplier Newpark Resources suffered a ransomware attack that disrupted its information systems and…

18 hours ago

Palo Alto Networks warns of potential RCE in PAN-OS management interface

Palo Alto Networks warns customers to restrict access to their next-generation firewalls because of a…

22 hours ago

iPhones in a law enforcement forensics lab mysteriously rebooted losing their After First Unlock (AFU) state

Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them…

1 day ago

U.S. CISA adds Palo Alto Expedition, Android, CyberPanel and Nostromo nhttpd bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Expedition, Android, CyberPanel and Nostromo…

2 days ago

DPRK-linked BlueNoroff used macOS malware with novel persistence

SentinelLabs observed North Korea-linked threat actor BlueNoroff targeting businesses in the crypto industry with a new…

2 days ago

Canada ordered ByteDance to shut down TikTok operations in the country over security concerns

Canada ordered ByteDance to shut down TikTok operations over security concerns but did not issue…

2 days ago

This website uses cookies.