Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users’ computers.
The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus.
Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies.
One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company’s cloud servers during the editor’s installation routine.
Hackers created a copy of the company’s cloud servers
“Attackers recreated the [first company’s] infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font packages, all clean and digitally signed, in the replica server,” Microsoft’s security researchers said.
“The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code,” they added.
“Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the [PDF editor] app. The parameters included a new download link that pointed to the attacker server,” Microsoft said.
Users who downloaded and ran the PDF editor app would unknowingly install the font packages, including the malicious one, from the hackers’ cloned server.
Supply chain attack within a supply chain
Because the PDF editor app was installed under SYSTEM privileges, the malicious coinminer code hidden inside would receive full access to a user’s system.
The malicious miner would create its own process named xbox-service.exe under which it would mine for cryptocurrencies using victims’ computers.
Microsoft said Windows Defender ATP detected mining-specific behavior from this process. Investigators then tracked down the origin of this process to the PDF editor app installer and the MSI font packages.
Security researchers said it was easy to identify which MSI font package was the malicious one because all other MSI files were signed by the original software company, except one file, which lost its authenticity when crooks injected the coinminer code inside it.
This malicious miner also stood out to investigators because it also tried to modify the Windows hosts file in a poor attempt at sinkholing update operations for various security apps. Tinkering with the Windows hosts file is a big no-no, and most antivirus software will mark this operation as suspicious or malicious.
Microsoft did not reveal the names of the two software companies involved in this incident. The OS maker says the compromise lasted between January and March 2018, and affected only a small number of users, suggesting the hacked companies aren’t big names on the PDF software market.
Indicators of compromise are available in Microsoft’s report on the attack, here.