Trojan Source – A new method Let Hackers inject vulnerabilities into the source code

A new type of vulnerability has been identified by the security researchers of Cambridge University, Nicholas Boucher and Ross Anderson, and this vulnerability enables threat actors to insert visually deceptive malware into the source code in such a way that is semantically correct.

Not only this, but at the same time, this vulnerability also modifies the logic defined by the source code, making the code exposed to a wide variety of cyber threats, which also include threats that are related to supply chains.

Text-encoding Standards Abused

The whole Trojan Source attack has been demonstrated, and it’s been detected that this attack can negotiate the first-party software and supply chains.

While one of the experts noted that the threat actors are using a trick to use Unicode control characters so that they can easily reorder tokens in source code at the level of encoding. 

Apart from all this, several manipulative ways are being used by the threat actors for encoding the source code files so that human viewers and compilers see different reasoning.

Homoglyph & Duplex Attack

The double attack method is tracked as s CVE-2021-42574, and in this method, the hackers achieved their goal by using Unicode controls for bidirectional text as they want to prescribe the direction in which the content is being shown.

But, here, the bidirectional (Bidi) controls like LRI and RLI are invisible characters, and these two characters are not the only ones.

Moreover, the hackers have used another method that is a homoglyph attack, and it has been tracked as CVE-2021-42694. In this method, the threat has two different characters that have a related visual representation.

Techniques Enable Exploiting of the Source Code

The security experts have mentioned some of the techniques that generally allows exploiting of the source code; thus we have mentioned them below:-

  • Early Returns – It covers a certain ‘return’ statement in a comment so that it can produce a function to return earlier than it resembles
  • Commenting Out – It shuffles human review by putting important code, such as a conditional, in a comment so that it is overlooked by the compiler or the interpreter.
  • Stretched Strings – It reverse-order the code to execute it appears to be outside a string literal.

Meshed Revelation

On July 25, acquainted several maintainers of products that were being observed to be influenced by the Trojan Source attack method and set a 99-day embargoed disclosure time.

At the end of the review, they also underwent an average of $2,246 in bug bounties from five of the beneficiaries; however, 11 of them had a bug bounty application.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.