PDFescape install chain delivered coin miner
Microsoft and Comodo tied PDFescape Desktop to a 2018 multi-tier supply-chain attack in which a legitimate installer pulled a poisoned Asian-font MSI from cloned partner infrastructure and installed cryptocurrency-mining malware.
Story
The PDFescape case is more subtle than a backdoored download button. Microsoft described it as a supply-chain compromise inside another supply chain: the PDF editor vendor's own systems were not the point of compromise, but its installer depended on a software partner that supplied additional font packages during setup.
Attackers recreated the partner's package infrastructure on a server they controlled, copied the legitimate MSI font packages, and modified one Asian-font MSI. An unspecified weakness let them influence the download parameters used by the PDF editor installer, so the legitimate installer reached the attacker-controlled replica server for that package.
Comodo later identified the visible application as PDFescape Desktop and described the package as pdfescape-desktop-Asian-and-extended-font-pack.msi. The malicious MSI dropped xbox-service.exe into System32, ran a DLL disguised as setup.log through rundll32, and launched a Monero miner under the cover of a normal PDFescape installation.
The payload also tried to modify the Windows hosts file to block update or remediation traffic for PDF-related applications and security software. Microsoft saw evidence that the campaign was active between January and March 2018, affected only a handful of observed machines, and was automatically remediated for Windows Defender ATP customers.
The trust boundary is the point. Users did not install a fake PDF editor from an obvious clone site. They ran a legitimate PDFescape installer, and a second-tier package dependency inside that setup flow delivered the miner.
Affected Artifacts
- Observed
- 2018-01-01 to 2018-03-31
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
- sha256:ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
- sha256:23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
- +4 more
- Evidence
- hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi, file: xbox-service.exe, file: pagefile.sys, file: setup.log.dll , +5 more
- Microsoft did not name the PDF editor vendor, but Comodo's later writeup identified the visible software as PDFescape Desktop and matched the MSI font-package chain.
- Microsoft estimated the active compromise window as January through March 2018 and described the observed victim population as a handful of targeted computers.
Incident Context
- Motive
- Financial Gain
- Cause
- Compromised Dependency
- Transitive
- No
External References
- Attack inception: Compromised supply chain within a supply chain poses new risksmicrosoft.com
- Evil clone to attack users: how cybercrooks use legitimate software to spread cryptominersblog.comodo.com
- Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Softwarebleepingcomputer.com
- Evil Clone Attack - Legitimate PDF Software Used to Spread Cryptominersgbhackers.com
- Broken Links - Emergence and Future of Software Supply Chain Compromisesblackhat.com
Source record: proprietary/pdfescape/meta.yaml