The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.
The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.
Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.
The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.
The compromise lasted between January and March 2018, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.
This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.
“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”
The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.
The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.
Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.
Below the multi-tier attack described by Microsoft:
The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.
The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.
The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.