Recent reports indicate that the banking sector has become the focus of threat actors utilizing an emerging supply chain attack. Two distinct incidents have been identified, with each involving unique tactics and threat actors.
Organizations implement vulnerability scanning only during the Software Development Life Cycle (SDLC) development phase, which is inadequate for the current threats organizations face.
This was the first instance where two open-source software supply-chain attacks were explicitly identified.
First Incident in Banking Sector
The first incident in early April involved a couple of npm packages that were developed and uploaded by the threat actor. These packages include a preinstall script which gets executed during installation.
The contributor of this package was linked to a LinkedIn profile which was spoofed as the employee of the targeted bank.
Once the malicious package gets executed, it initially collects information about the operating system which is used for decoding relevant encrypted files.
After decoding, the encrypted files are then used to download a second-stage malicious binary.
Furthermore, VirusTotal, a widely used malware scanning tool, did not detect the Linux-specific second-stage binary.
This adds advantage to the threat actor to remain undetected and succeed in infiltration.
In addition to this, the threat actor was using a subdomain in Azure which was incorporated with the name of the targeted bank. This served as a great potential attacking surface as Azure’s domains are whitelisted by default.
Finally, the attacker used the Havoc Framework for the second stage of the attack. Havoc Framework was developed by @C5pider which is an advanced post-exploitation framework capable of management, coordination, and modification of attacks.
Second Incident
The second attack was in February 2023 in which another bank was targeted by a different threat group completely irrelevant to the April attack.
However, this attack also involved a masterfully crafted NPM package that is designed in such a way that it lies inactive on the login page of the bank and doesn’t act unless triggered.
Further investigations revealed that the payload had a unique Element ID in the HTML of the login page and attached itself to a specific login form element which prevents it from getting detected and collecting login data.
Later, the element was traced back to a mobile login page of the bank which was the prime target of the threat actors.
Indicators of Compromise
- 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
- d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
- f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
- 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
- 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
- hxxp[:]//*[:]azureedge[:]net/AnnyPhaedra.bin
- hxxp[:]//*[:]azureedge[:]net/KellinaCordey.bin
- hxxp[:]//*[:]azureedge[:]net/MidgeWileen.bin
It is recommended for organizations to look into their security measures and develop them to prevent this kind of supply-chain attack.