Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector.
"These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it," Checkmarx said in a report published last week.
"The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities."
The npm packages have since been reported and taken down. The names of the packages were not disclosed.
In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the ruse, the threat actor behind it created a fake LinkedIn profile.
Once launched, the script determined the host operating system to see if it was Windows, Linux, or macOS, and proceeded to download a second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the bank in question.
"The attacker cleverly utilized Azure's CDN subdomains to effectively deliver the second-stage payload," Checkmarx researchers said. "This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure's status as a legitimate service."
The second-stage payload used in the intrusion is Havoc, an open-source command-and-control (C2) framework that has increasingly come under the radar of malicious actors looking to sidestep detection stemming from the use of Cobalt Strike, Sliver, and Brute Ratel.
In an unrelated attack detected in February 2023 targeting a different bank, the adversary uploaded to npm a package that was "meticulously designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action."
Specifically, it was engineered to covertly intercept login data and exfiltrate the details to an actor-controlled infrastructure.
"Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user," the company said.
"Once a malicious open-source package enters the pipeline, it's essentially an instantaneous breach – rendering any subsequent countermeasures ineffective. In other words, the damage is done."
The development comes as the Russian-speaking cybercrime group RedCurl breached an unnamed major Russian bank and an Australian company in November 2022 and May 2023 to siphon corporate secrets and employee information as part of a sophisticated phishing campaign, Group-IB's Russian arm, F.A.C.C.T., said.
"Over the past four and a half years, the Russian-speaking group Red Curl [...] has carried out at least 34 attacks on companies from the UK, Germany, Canada, Norway, Ukraine, and Australia," the company said.
"More than half of the attacks – 20 – fell on Russia. Among the victims of cyber spies were construction, financial, consulting companies, retailers, banks, insurance, and legal organizations."
Financial institutions have also been at the receiving end of attacks leveraging a web-inject toolkit called drIBAN to perform unauthorized transactions from a victim's computer in a manner that circumvents identity verification and anti-fraud mechanisms adopted by banks.
"The core functionality of drIBAN is the ATS engine (Automatic Transfer System)," Cleafy researchers Federico Valentini and Alessandro Strino noted in an analysis released on July 18, 2023.
"ATS is a class of web injects that alters on-the-fly legitimate banking transfers performed by the user, changing the beneficiary and transferring money to an illegitimate bank account controlled by TA or affiliates, which are then responsible for handling and laundering the stolen money."
