Cyber Incident Victim: Emurasoft, Inc.
Date:
Dec 2023
Location:
—
Summary
Emurasoft, Inc.'s EmEditor software was compromised in a supply chain attack where attackers replaced the legitimate installer with a malicious version via the official download page. The fraudulent installer, signed with an unauthorized certificate, executed PowerShell commands to deploy infostealer malware that harvested system information, user files, and credentials from various applications and services. The malware avoided systems in former Soviet countries and Iran, then installed a persistent browser extension to exfiltrate browsing data, hijack cryptocurrency transactions via clipboard manipulation, log keystrokes, and steal social media advertising accounts. Security researchers attributed the incident to financially motivated threat actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between December 19, 2023, at 18:39 PT and December 22, 2023, at 12:50 PT, attackers compromised the download infrastructure of EmEditor, a text and code editing software developed by Emurasoft, Inc. The threat actors altered the URL associated with the ‘Download Now’ button on the EmEditor homepage to redirect users to a malicious .msi installer file hosted on a different section of the official website. This malicious installer shared the same filename and approximate size as the legitimate EmEditor installer but was signed with a digital certificate belonging to an unrelated company, distinguishing it from Emurasoft’s authentic software. Emurasoft confirmed the supply chain attack in a security notice published on December 22, advising users who downloaded the software during this timeframe to verify the digital signature of their installer. The company characterized the three-day exposure window as a conservative estimate, acknowledging the possibility that the actual compromise duration might have been shorter or limited to specific intervals within that period.
The malicious installer executed a PowerShell command upon launch, initiating the download and execution of additional payloads from a counterfeit EmEditor domain. According to Qianxin, a Chinese cybersecurity firm that analyzed the attack, the malware harvested system information, files from the Desktop, Documents, and Downloads folders, VPN configurations, browser data, and credentials for applications including Zoho Mail, Discord, Slack, Teams, Zoom, WinSCP, PuTTY, Telegram, and Steam. The malware terminated its execution if it detected system languages associated with former Soviet countries or Iran, indicating possible targeting constraints. Post-infection, the attackers deployed a browser extension named ‘Google Drive Caching’ to maintain persistence. This extension functioned as a comprehensive infostealer, collecting browser history, bookmarks, cookies, and enabling clipboard hijacking to replace cryptocurrency wallet addresses with attacker-controlled alternatives. It also logged keystrokes and targeted Facebook ad account credentials. Qianxin’s investigation highlighted the financially motivated nature of the attack but refrained from attributing it to specific threat actors, noting the evolving overlap between criminal and state-aligned cyber operations. Emurasoft and Qianxin distributed indicators of compromise to assist organizations in identifying affected systems.