Freely subscribe to our NEWSLETTER

• These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it.
• The attackers employed deceptive tactics such as creating fake LinkedIn profile to appear credible and customized command and control (C2) centres for each target, exploiting legitimate services for illicit activities.
• The malicious open source packages have been reported on by our team and removed. However, we predict a persistent trend of attacks against the banking sector’s software supply chain to continue.
• Current controls aimed at detecting and managing known vulnerabilities fall short in countering these new attacks. Industry-wide collaboration is essential to strengthen our defences against these attacks.
• Checkmarx’s Supply Chain Intelligence customers are protected against these attacks.

In the rapidly evolving landscape of cybersecurity, adaptability is not just desired - it’s necessary for survival. The banking industry has recently become the target of a new type of cyber threat. For the first time ever, the industry was explicitly targeted by two distinct open-source software supply chain attacks.

Dissecting Attack Number One
On the 5th and 7th of April, a threat actor leveraged the NPM platform to upload a couple of packages containing within them a preinstall script that executed its malicious objective upon installation.

Employee Spoofing
Interestingly, the contributor behind these packages was linked to a LinkedIn profile page of an individual that was posing as an employee of the targeted bank. Our initial assumption was that this may be a penetration testing exercise by the bank. However, the response we received upon contacting the institution for clarification painted a different picture — the bank wasn’t aware of this activity.

Multi-Stage Attack
The first stage of the attack involved the script identifying the victim’s operating system: Windows, Linux, or Darwin (MacOS). Then, based on the result, the script proceeded to decode the relevant encrypted files included in the NPM package.

Once decoded, these files served a single ominous purpose: downloading a second-stage malicious binary onto the victim’s system.

Customized Malware to Remain Undetected
During our investigation, we discovered that the Linux-specific encrypted file was not flagged as malicious by VirusTotal, a widely used online service for scanning files for known viruses. This allowed the attacker to maintain a covert presence on Linux systems, minimizing the risk of detection, and increasing the probability of success.

Exploiting Legitimate Domains to Bypass Defense Mechanisms
The attacker cleverly utilized Azure’s CDN subdomains to effectively deliver the second-stage payload. This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure’s status as a legitimate service.
The attacker went a step further, carefully choosing a subdomain on Azure that incorporated the name of the targeted bank. This move not only helped to remain undetected but also added a layer of credibility to the malicious package, thereby increasing the chances of a successful breach.

The Havoc Framework: An Attacker’s Power Tool
The Havoc Framework was the attacker’s tool of choice for the second stage of this attack. Crafted by @C5pider, this advanced post-exploitation command and control framework serves as a powerful arsenal for managing, coordinating, and modifying attacks to bypass changing situations, and stringent security measures.
Havoc’s ability to evade standard defences, like Windows Defender, makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel.

Summary of the Sequence of Events in the First Attack

Dissecting Attack Number Two
A Second Assault: Different Bank, Different Threat Actor
In February 2023, another bank found itself in the crosshairs of a different group of cybercriminals. Unrelated to the first incident, this attack implemented its own unique strategies and techniques which was only picked up by our Machine Learning Engines.
Hooking to the login page
The threat actors uploaded a package to NPM containing a masterfully crafted payload. This malicious code was meticulously designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action.
The payload revealed that the attacker had identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.

This code hooks itself to a specific login form element on the web page (Line 137) and sends the login data to a remote location (Line 140).
Our rigorous scanning and tracking traced this element to a bank’s mobile login page, the prime target of this attack.

Summary of the Sequence of Events in the Second

Shifting Gears in the Perception of Supply Chain Security
Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user.
Traditionally, organizations primarily focused on vulnerability scanning at the build level — a practice no longer adequate in the face of today’s advanced cyber threats. Once a malicious open-source package enters the pipeline, it’s essentially an instantaneous breach — rendering any subsequent countermeasures ineffective. In other words, the damage is done.
This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place.
In this context, it’s paramount for organizations to realize that they cannot treat malicious packages the same way as regular vulnerabilities. They need to adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC.

Conclusion
We anticipate a steady escalation in targeted attacks, including on banks. Our primary intention with this blog is to shine a light on the Tactics, Techniques, and Procedures (TTP) we’ve observed and foster collective understanding and awareness of these emerging threats. The need of the hour is to stay vigilant, continuously evolve our defences, and stay a step ahead of the threat actors.
Checkmarx Supply chain research team is tracking those attacks and will update on any further developments.
Working together to keep the ecosystem safe.
IOC
• 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
• d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
• f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
• 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
• 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
• hxxp[:]//*[:]azureedge[:]net/AnnyPhaedra.bin
• hxxp[:]//*[:]azureedge[:]net/KellinaCordey.bin
• hxxp[:]//*[:]azureedge[:]net/MidgeWileen.bin