Attackers abused the website of a Ukraine-based accounting software developer to serve banking malware to unsuspecting users.

The attack occurred in August 2017 around the Independence Day holiday in Ukraine. At around that time, unknown individuals hacked the website for Crystal Finance Millennium (CFM), a Ukrainian company which provides accounting software along with other services. Those bad actors subsequently leveraged their unauthorized access to host all kinds of malware, including the Smoke Loader downloader and PSCrypt ransomware.

It’s not clear just how the malefactors compromised CFM’s website. Their method of attack isn’t a new one, however. As Cisco’s Talos researchers explain:

Websites being compromised to serve malicious content is common and it appears that CFM’s website was leveraged in the same way. This can be achieved through exploitation of existing vulnerabilities in server-side software or brute-forcing weak credentials, allowing attackers to gain remote administrative access. The fact that it is an accounting software company in Ukraine and the timing of the attack increased visibility.

CFM isn’t the first Ukrainian accounting software company to suffer a compromise in recent history, after all. In June 2017, researchers discovered that MeDoc, a small Ukrainian financial technology company which also makes accounting software, experienced a hack through which attackers gained access to its update servers. The nefarious individuals then used those servers to push out a software update infected with NotPetya. That wiper malware spread to other machines using EternalBlue, the same Microsoft vulnerability exploited by WannaCry ransomware less than two months previously.

Unlike MeDoc, bad actors didn’t compromise CFM’s update servers. They used the firm’s website only to distribute malware retrieved from malware downloaders as part of an email spam campaign. The accounting software company’s website was just one of the domains used to host the malware payload.

Downloader Code Snippet (Source: (Read more...)