The team logo
Daily Brief Changelog
v0.7

Article Details

Scrape Timestamp (UTC): 2024-07-11 15:06:48.316

Source: https://thehackernews.com/2024/07/60-new-malicious-packages-uncovered-in.html

Original Article Text

Click to Toggle View

60 New Malicious Packages Uncovered in NuGet Supply Chain Attack. Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection. The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the previous set that came to light in October 2023, software supply chain security firm ReversingLabs said. The attackers pivoted from using NuGet's MSBuild integrations to "a strategy that uses simple, obfuscated downloaders that are inserted into legitimate PE binary files using Intermediary Language (IL) Weaving, a .NET programming technique for modifying an application's code after compilation," security researcher Karlo Zanki said. The end goal of the counterfeit packages, both old and new, is to deliver an off-the-shelf remote access trojan called SeroXen RAT. All the identified packages have since been taken down. The latest collection of packages is characterized by the use of a novel technique called IL weaving that makes it possible to inject malicious functionality to a legitimate Portable Executable (PE) .NET binary taken from a legitimate NuGet package. This includes taking popular open-source packages like Guna.UI2.WinForms and patching it with the aforementioned method to create an imposter package that's named "Gսոa.UI3.Wіnfօrms," which uses homoglyphs to substitute the letters "u," "n," "i," and "o" with their equivalents "ս" (\u057D), "ո" (\u0578), "і" (\u0456). and "օ" (\u0585). "Threat actors are constantly evolving the methods and tactics they use to compromise and infect their victims with malicious code that is used to extract sensitive data or provide attackers with control over IT assets," Zanki said. "This latest campaign highlights new ways in which malicious actors are scheming to fool developers as well as security teams into downloading and using malicious or tampered with packages from popular open source package managers like NuGet."

Daily Brief Summary

MALWARE // Stealth Malware Infected NuGet Packages with RAT via IL Weaving

A new wave of attackers published approximately 60 malicious packages in the NuGet package manager, part of a continued campaign that started in August 2023.

These malicious packages, involving around 290 versions, employ a more sophisticated method from previous instances detected in October 2023.

Attackers utilize a technique known as IL Weaving to insert obfuscated downloaders into legitimate PE binaries, modifying .NET applications post-compilation.

The primary intent of these counterfeit packages is to distribute SeroXen RAT, a remote access trojan designed for espionage and data theft.

Notably, the technique includes exploiting homoglyphs in popular package names, like altering "Guna.UI2.WinForms" to a nearly indistinguishable but malicious "Gսոa.UI3.Wіnfօrms."

ReversingLabs, a software security firm, identified and reported these packages, which have since been removed from availability.

This incident highlights a growing trend of cybercriminals targeting software supply chains, necessitating heightened vigilance from developers and security teams.