Skip to content
Threat Feed
high advisory

EmEditor Supply Chain Compromise Delivering Infostealer

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

A supply chain compromise involving the EmEditor text editor led to the distribution of a trojanized installer. Attackers replaced the legitimate EmEditor installer with a malicious version containing an infostealer. This compromised installer was then distributed through trusted or official channels, deceiving users into installing the malware. This incident underscores the importance of verifying software integrity, even when obtained from seemingly reputable sources, and highlights the potential for significant damage when software supply chains are targeted. The goal is to steal sensitive information from victim machines. Defenders should focus on detecting anomalous process execution and network activity following software installations.

Attack Chain

  1. The attacker compromises the EmEditor software supply chain.
  2. A malicious EmEditor installer is created, embedding an infostealer payload.
  3. The trojanized installer is distributed through trusted or official EmEditor distribution channels.
  4. Unsuspecting users download and execute the malicious installer on their Windows systems.
  5. The installer executes the infostealer payload in the background.
  6. The infostealer collects sensitive information such as credentials, browser data, and other valuable data.
  7. The stolen data is exfiltrated to a command-and-control server controlled by the attacker.
  8. The attacker uses the stolen information for further malicious activities, such as account compromise or data theft.

Impact

The EmEditor supply chain compromise resulted in the distribution of an infostealer to an unknown number of users. Victims who downloaded and installed the trojanized EmEditor installer had their sensitive information stolen, potentially leading to financial loss, identity theft, and further compromise of their systems and accounts. The software supply chain compromise can erode trust in legitimate software vendors and distribution channels.

Recommendation

  • Implement robust software integrity verification mechanisms, such as checking digital signatures and file hashes, before installing any software (reference: overview).
  • Monitor for unusual process execution and network connections after software installations to detect potential post-compromise activity (reference: attack chain).
  • Deploy the Sigma rules provided below to detect potential infostealer activity and malicious installer execution (reference: rules).

Detection coverage 2

Detect Suspicious Installer Execution

high

Detects potential malicious installers executing from temporary directories.

sigma tactics: initial_access techniques: T1566 sources: process_creation, windows

Detect Infostealer Process Creation

medium

Detects processes associated with common info-stealing malware, based on command line and process name.

sigma tactics: credential_access techniques: T1003 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →