Malicious NuGet Packages Found Spreading SeroXen Remote Access Trojan

Malicious NuGet Packages

Researchers studying cybersecurity have discovered a fresh batch of malicious packages that were uploaded to the NuGet package manager via a little-known malware distribution technique.

The campaign has been coordinated and ongoing since August 1, 2023, according to software supply chain security firm ReversingLabs, which linked it to a host of rogue NuGet packages

that were seen spreading the SeroXen RAT remote access trojan.

Karlo Zanki, a reverse engineer at ReversingLabs, stated in a report shared with The Hacker News that “the threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages.”

The names of some of the packages are below –

  • Pathoschild.Stardew.Mod.Build.Config
  • KucoinExchange.Net
  • Kraken.Exchange
  • DiscordsRpc
  • SolanaWallet
  • Monero
  • Modern.Winform.UI
  • MinecraftPocket.Server
  • IAmRoot
  • ZendeskApi.Client.V2
  • Betalgo.Open.AI
  • Forge.Open.AI
  • Pathoschild.Stardew.Mod.BuildConfig
  • CData.NetSuite.Net.Framework
  • CData.Salesforce.Net.Framework
  • CData.Snowflake.API

Malicious NuGet Packages

“This is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware,” Zanki stated.

Similar features can be seen in the packages that have since been removed: the threat actors behind the operation tried to hide the malicious code by using tabs and spaces to push it out of the way of the default screen width.

As revealed earlier by Phylum, the packages also include fictitious download counts to give them a more authentic appearance. The decoy packages’ ultimate objective is to serve as a conduit for obtaining a second-stage.NET payload stored on a disposable GitHub repository.

“The threat actor behind this campaign is being careful and paying attention to details, and is determined to keep this malicious campaign alive and active,” Zanki said.

http://www.cryptus.in

Leave a Reply

Your email address will not be published. Required fields are marked *