Executive Summary

Emurasoft, the developer of the widely-used EmEditor text editor, reported a security breach affecting its official website. For four days, attackers compromised the site and modified the homepage's download link to point to a malicious installer. This trojanized installer, when executed, deployed an infostealer malware onto the victim's system. The malware's primary functions were to harvest credentials from browsers and other applications, and to install a malicious browser extension. This extension provided the attackers with remote control capabilities over the victim's browser and was designed to facilitate cryptocurrency swapping fraud. This incident is a classic example of a watering hole attack targeting a trusted software distribution point.

Threat Overview

The attackers targeted the EmEditor website, a trusted source for developers and power users, turning it into a malware distribution platform. This type of supply chain attack, which compromises the distribution method rather than the software code itself, is highly effective as it leverages the trust users have in the software vendor.

For a period of four days, any user clicking the main download button on the emeditor.com homepage received a malicious executable instead of the legitimate installer. The attack flow was as follows:

1. Website Compromise: Attackers gained access to the EmEditor website, likely by exploiting a vulnerability in the web server or its content management system (CMS).
2. Download Hijacking: The attackers modified the hyperlink for the download button to redirect users to their own server.
3. Malware Execution: The user downloads and runs the fake installer, which may have installed the legitimate EmEditor software alongside the malware to avoid suspicion.
4. Infostealer Deployment: The primary payload, an information-stealing trojan, is executed. It scours the system for saved credentials, cookies, and other sensitive data.
5. Browser Extension Installation: A secondary payload, a rogue browser extension, is installed to establish persistence and enable further malicious activity.

Technical Analysis

The malware deployed was a potent infostealer. These trojans are designed to systematically collect a wide variety of sensitive information from a victim's machine, including:

• Saved usernames and passwords from web browsers
• Session cookies
• Cryptocurrency wallet files
• FTP client credentials

The addition of a malicious browser extension is a significant enhancement. This provides the attackers with a persistent foothold within the most-used application on the system. The extension could inject content into web pages, intercept form submissions, and carry out the reported 'cryptocurrency swapping' by replacing a legitimate destination wallet address with one controlled by the attacker during a transaction.

MITRE ATT&CK Techniques

• T1189 - Drive-by Compromise: The core of the attack, where users are compromised by visiting a legitimate, but hacked, website.
• T1056.001 - Input Capture: Keylogging: A common capability of infostealer malware to capture credentials as they are typed.
• T1539 - Steal Web Session Cookie: The infostealer would target browser cookie databases to hijack active user sessions.
• T1185 - Browser Extensions: The installation of a malicious extension for persistence and browser manipulation.
• T1657 - Financial Theft: The cryptocurrency swapping capability is a direct attempt at financial theft.

Impact Assessment

Users who downloaded EmEditor during the four-day window and executed the malicious installer are at high risk. Their system credentials, financial information, and cryptocurrency assets may have been compromised. The impact on Emurasoft is severe reputational damage. Trust in their software and distribution process is undermined, which can lead to a loss of customers. The company also had to expend resources to investigate the breach, secure their website, and communicate with their user base.

Detection & Response

• File Hashing: Users who downloaded the software during the affected period should verify the SHA256 hash of their installer against the official hash published by Emurasoft. Any mismatch indicates a malicious file.
• Browser Extension Audit: Users should immediately audit all installed browser extensions (chrome://extensions, edge://extensions, etc.) and remove any that are unrecognized or suspicious.
• Antivirus Scan: Run a full system scan with a reputable antivirus or anti-malware solution to detect and remove the infostealer.
• Credential Reset: As a precaution, any user who may have been affected should change passwords for all important online accounts (email, banking, etc.).

Mitigation

• Website Security: Web server administrators must employ robust security practices, including regular vulnerability scanning, timely patching of the server and CMS, and using a Web Application Firewall (WAF).
• File Integrity Monitoring: Implement file integrity monitoring on the web server to alert on any unauthorized changes to website content, such as modified download links.
• Code Signing: Software developers should digitally sign their installers. This allows users and operating systems to verify that the installer is authentic and has not been tampered with. Users should be instructed to only run installers with a valid signature from the developer. This is a key aspect of Code Signing (M1045).