Researchers with Israeli application security provider Checkmarx have uncovered several open-source software supply chain attacks that targeted the banking sector.
Checkmarx’s report details two such attacks against banks involving malicious libraries on the NPM repository. In the first incident, a threat actor uploaded a package to NPM containing posing as a bank employee. The package contained a preinstall script that executed its malicious objective upon installation.
“The first stage of the attack involved the script identifying the victim’s operating system: Windows, Linux, or Darwin (MacOS). Then, based on the result, the script proceeded to decode the relevant encrypted files included in the NPM package,” the report says.
The script then downloaded the second-stage malware, the Havoc Framework, from a remote server by using Azure’s CDN subdomain that includes the name of the targeted bank.
Havoc is a post-exploitation command and control framework used for managing, coordinating, and modifying attacks to bypass changing situations, and stringent security measures.
“Havoc’s ability to evade standard defenses, like Windows Defender, makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel,” the researchers noted.
The second attack (unrelated to the first campaign) also used unique strategies and techniques. In this attack, a threat actor downloaded a malicious library to NPM containing code intended to blend into the website of the victim bank and lay dormant until it was prompted to spring into action. It was designed to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.
The offending packages have been reported to the NPM team and removed from the repository.
“It’s paramount for organizations to realize that they cannot treat malicious packages the same way as regular vulnerabilities. They need to adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC,” the security firm commented.