Exorcist: automated differential analysis to detect compromises in closed-source software supply chains

Conference item

The insertion of trojanised binaries into supply chains are a particularly subtle form of cyber-attack that require a multi-staged and complex deployment methodology to implement and execute. In the years preceding this research there has been a spike in closed-source software supply chain attacks used to attack downstream clients or users of a company. To detect this attack type, we present an approach to detecting the insertion of malicious functionality in supply chains via differential analysis of binaries. This approach determines whether malicious functionality has been inserted in a particular build by looking for indicators of maliciousness. We accomplish this via automated comparison of a known benign build to successive potentially malicious versions. To substantiate this approach we present a system, Exorcist, that we have designed, developed and evaluated as capable of detecting trojanised binaries in Windows software supply chains. In evaluating this system we analyse 12 samples from high-profile APT attacks conducted via the software supply chain.

Authors: Barr-Smith, F; Baker, R; Blazytko, T; Martinovic, I

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Association for Computing Machinery
• Host title: SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses
• Pages: 51-61
• Publication date: 2022-11-08
• Acceptance date: 2022-09-02
• Event title: ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '22)
• Event location: Los Angeles
• Event website: https://scored.dev/
• Event start date: 2022-11-11
• Event end date: 2022-11-11
• DOI: 10.1145/3560835.3564550
• ISBN: 9781450398855
• Language: English
• Keywords: FFR; differential analysis; malware; obfuscation; advanced persistent threat; code signing; binary analysis; supply chain security