Cybersecurity researchers say they have discovered what is believed to be the first open source software supply chain attack specifically targeting the banking sector.
In a report released last week, Checkmarx said, “These attacks displayed sophistication that they targeted specific components within the victim bank’s web properties by adding malicious functionality to the victim bank’s web properties.”
“The attackers employed deceptive tactics, such as creating fake LinkedIn profiles to make the customized command and control (C2) center for each target appear trustworthy, and abused the legitimate service for illegal activities.”
The npm package has since been reported and removed. The package name has not been disclosed.
In the initial attack, the malware author allegedly uploaded several packages to the npm registry in early April 2023, posing as employees of the targeted bank. The module comes with a pre-installed script to activate the infection sequence. To complete this ruse, the attackers behind created a fake LinkedIn page of her.
When the script is launched, it determines whether the host operating system is Windows, Linux, or macOS and uses a subdomain on Azure that incorporates the bank name in question to initiate a second stage malware download from a remote server.
According to Checkmarx researchers, “The attackers successfully leveraged Azure’s CDN subdomains to effectively deliver their second stage payload.” “This tactic is especially smart because Azure is a legitimate service, so it bypasses the traditional deny list method.”
The second stage payload used in the intrusion was Havoc, an open source command and control (C2) framework that has attracted the attention of malicious actors seeking to evade detection using Cobalt Strike, Sliver, and Brute Ratel.
In an unrelated attack targeting another bank detected in February 2023, the attacker uploaded a package to npm that was “well-designed to blend in with the victim’s bank’s website and remain dormant until prompted to start working.”
Specifically, it was designed to covertly intercept login data and exfiltrate the details to attacker-controlled infrastructure.
“Supply chain security revolves around securing the entire process of creating and distributing software, from the early stages of development through delivery to the end user,” the company said.
“Once a malicious open-source package enters the pipeline, it is essentially an instant compromise, rendering subsequent countermeasures ineffective. In other words, the damage is done.”
Group-IB’s Russian arm, FACCT, said it followed the Russian-speaking cybercriminal group RedCurl, which infiltrated a large unnamed Russian bank and an Australian company in November 2022 and May 2023, siphoning trade secrets and employee information as part of a sophisticated phishing campaign.
“Over the past four and a half years, the Russian-speaking group Red Curl has […] It has carried out at least 34 attacks against companies in the UK, Germany, Canada, Norway, Ukraine and Australia,” the company said.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
“More than half of the attacks (20) were against Russia. Victims of cyber espionage included construction companies, financial firms, consulting firms, retailers, banks, insurance companies, and legal bodies.”
Financial institutions have also been victims of attacks that utilize a web-inject toolkit called drIBAN to bypass the identity verification and fraud prevention mechanisms employed by banks to perform fraudulent transactions from the victim’s computer.
“The core function of drIBAN is the ATS engine (Automated Transfer System),” Clafy researchers Federico Valentini and Alessandro Strino noted in an analysis published on July 18, 2023.
“ATS is a type of web-inject that alters legitimate bank transfers made by users on the fly, alters the payee, and transfers the funds to fraudulent bank accounts controlled by TA or its affiliates, who are then responsible for processing and laundering the stolen funds.”
