Microsoft discovered a hidden miner in a font package

Microsoft said hackers hacked a font package installed by a PDF editor and used it to install a cryptocurrency miner on users' computers.

The company discovered the incident after its employees received alerts from Windows Defender ATP (a commercial version of Windows Defender antivirus).

Microsoft employees said they investigated the alerts and determined that hackers had compromised the company's cloud server infrastructure, which provides font packages as MSI files to other software companies. One of them used these packages for their PDF editor application, which they downloaded from the font vendor's cloud servers during the editor installation procedure.

“The attackers recreated the entire infrastructure of [the development company] on a replica server, which was owned and controlled by the attackers. They copied and hosted all MSI files on it, including clean signed font packages,” Microsoft security researchers said. “The attackers decompiled and modified one of the Asian font packages to include a hidden cryptocurrency miner,” they added.

"Using an unknown vulnerability (which does not appear to be MITM or By intercepting DNS), the attackers were able to influence the download parameters used by the application. The parameters included a new download link pointing to the attacker's server," Microsoft said.

Users who downloaded and launched the PDF editor application unknowingly installed font packages, including malicious ones, from the hackers' server. Because the PDF editor application was installed using SYSTEM level privileges, the hidden malicious miner code gained full access to the user's system. The malware created its own process called xbox-service.exe, which was engaged in mining cryptocurrency on the victim’s computer.

Microsoft said that Windows Defender ATP detected behavior specific to miners. The researchers then traced the origins of this process to a PDF editor installer and an MSI font package..

They stated that it was easy to determine which MSI font package was malicious because all other MSI files were signed by the original software company, except for one file that lost its authenticity when scammers injected miner code into it.

This gray miner also came to the attention of specialists because it also tried to change the hosts file in a weak attempt to disable the update operations of various security applications. Operations with the hosts file in Windows are flagged by most antivirus programs as suspicious or malicious.

Microsoft did not disclose the names of the two software companies involved in this incident, indicating only that the hacked companies are not major players in the PDF software market. The OS manufacturer says that the malware was only active between January and March 2018, and the problem affected a small number of users.

According to BleepingComputer.com