From NuGet — to the heart of your system: libraries with a surprise appeared on the shelves of the repository

[Carding 4 Carders]

There is a multi-faceted Trojan hidden in the margins and characters. How do I detect it?

Cybersecurity experts have discovered another campaign targeting users of the NuGet repository. As researchers from ReversingLabs found out, it is being conducted from August 1, 2023.

Attackers publish fake packages in NuGet, disguising them as popular libraries. Among the detected ones:

• Pathoschild.Stardew.Mod.Build.Config
• KucoinExchange.Net
• Kraken.Exchange
• DiscordsRpc
• SolanaWallet
• Monero
• Modern.Winform.UI
• MinecraftPocket.Server
• IAmRoot
• ZendeskApi.Client.V2
• Betalgpen.AI
• Forge.Open.AI
• Pathoschild.Stardew.Mod.BuildConfig
• CData.NetSuite.Net.Framework
• CData.Salesforce.Net.Framework
• CData.Snowflake.API

To mislead the user, scammers resort to various tricks. They artificially inflate the number of file downloads, and mask the code itself with special characters and indents.

When the infected library is successfully installed, the download of the main malicious program written by на.NET. This program is placed in temporary repositories on GitHub, probably to make it harder to detect and remove it.

Thus, the SeroXen RAT Trojan gets on the victim's computer, which gives hackers full access to the system.

Experts note that this is the first known case of using the built-in MSBuild tasks in NuGet for such campaigns.

MSBuild is a technology that allows you to automatically run code when installing a library.

Developers are advised to be extra vigilant when installing packages from third-party sources. It is also necessary to tighten the verification of files published in the official NuGet repository.

The fight against cybercrime requires all market participants to be more vigilant and improve their protection methods. Only a comprehensive approach and attention to detail will help minimize risks.

 

[Carding Forum]

As part of an ongoing malware campaign that began in August 2023, attackers are publishing new malicious packages in the NuGet package manager, adding a new layer of stealth to bypass detection.

About 60 malicious packages, spanning 290 versions, demonstrate a more sophisticated approach of hackers compared to the previous ones discovered in October 2023, according to software supply chain security company ReversingLabs.

According to the researchers, the attackers switched from using MSBuild integrations in NuGet to a strategy involving simple but convoluted loaders that are inserted into legitimate PE binaries using Intermediate Language (IL) Weaving, a programming technique .NET, which allows you to modify the application code after compilation, experts noted.

The ultimate goal of fake packages, both old and new, is to deliver a ready-made remote access Trojan called SeroXen RAT. All the packages identified by the researchers have already been removed from the NuGet platform.

ReversingLabs emphasized that attackers are constantly developing methods and tactics used to compromise and infect their victims with malicious code designed to extract confidential data or give attackers control over IT assets.

The malware campaign under review highlights new ways that attackers are trying to trick developers and security teams into downloading and using malicious or fake packages from popular open source package managers such as NuGet.

To protect against such threats, developers are advised to carefully check all packages used and their sources, pay attention to abnormal names and suspicious changes in the code. It is also important to regularly update security tools and apply static and dynamic analysis methods to identify possible threats.

In addition, organizations should invest in training employees in secure programming and monitoring of software supply chains.

• Source: https://www.reversinglabs.com/blog/...n-uses-homoglyphs-and-il-weaving-to-fool-devs