Crooks mounted a crypto-mining scam after hacking into a supplier of an unnamed PDF editor software vendor.
Microsoft has reported that as-yet-unidentified hackers compromised some font packages installed by a PDF editor app. The hack was used to push two types of crypto-currency mining app, the cybercrime du jour.
Redmond's security response team got wind of the attack after following up alerts generated by Windows Defender ATP, the commercial version of the Windows Defender antivirus.
Subsequent investigations revealed that miscreants broke into cloud-based infrastructure of a supplier to the app maker and others with font packages in the form of MSI files. Six additional app vendors may have been at risk of being redirected to download installation packages from the attacker's server. None but the PDF app maker are confirmed as victims.
It seems that the unnamed PDF package was targeted for attack as part of a money-making racket. The app vendor itself was not compromised, rather its partner was pwned before poison was poured into the software mix further upstream.
Hackers created a copy of the partner's cloud-based servers before pushing a tainted MSI files download, hidden among unassuming files.
"The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation," Microsoft explained. "All the MSI files were clean and digitally signed by the same legitimate company – except for the one malicious file.
"The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin-mining code.
"Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the [PDF editor] app. The parameters included a new download link that pointed to the attacker server."
Tricksy, but let's not start thinking the caper was the work of ninja black hats.
"This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources," Microsoft added.
Asian users of the PDF editor app ended up downloading a tainted font package that bundled crypto-mining code, which hijacked resources on infected PCs to mine Monero, as per many other crypto mining scams.
The whole exercise is a fine example of a supply chain attack, which was also used to spread the NotPetya ransomware last year. The same tactic was also recently used to serve up spyware disguised as the CCleaner utility in a more subtle cyber-espionage operation.
In the case in point, a PDF editor app loaded with a doctored font was installed with admin privileges, which goes some way towards explaining why the app maker might have been targeted in the first place.
Microsoft reckons the compromise lasted between January and March 2018, and affected only a small number of users, strongly suggesting a fringe developer was targeted.
Redmond concluded: "While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetising malware campaigns." ®