Hackers often target NuGet as it’s a popular package manager for .NET, which developers widely use to share and consume reusable code.
Threat actors can distribute malicious code to many projects by compromising the NuGet packages.
In August 2023, ReversingLabs detected a malicious campaign against NuGet and noticed the change in techniques used by the threat actors.
Malicious NuGet Campaign
Earlier, they had been utilizing simple initialization scripts in more than 700 malignant packages and then switched to using *.targets files to exploit NuGet’s MSBuild integrations.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
The most recent variant uses obfuscated downloaders incorporated into genuine PE binaries using IL weaving.
To appear trustworthy, there were attempts like impersonation, typosquatting, and artificially inflating download counts.
This attack is an example of how these attackers can adjust their tactics as well as grow their skills to compromise the .NET ecosystem further.
This threat actor has been persistently targeting NuGet for over six months with advanced skills that have evolved to use IL weaving techniques.
This method enhances the detection complexity, as it injects malicious module initializers into legitimate .NET binaries.
Lately, attacks include patching DLL files from popular packages such as Guna.UI2.WinForms and using typosquatting to bypass NuGet’s prefix reservation system. Obfuscated SeroXen RAT is downloaded using the injected code.
After all, while analyzing compiled binaries might be more complicated than plaintext scripts, ReversingLabs Spectra Assure, among others, can identify suspicious functionalities in these altered packages, consequently illustrating a cat-and-mouse game between threat actors and security measures within the NET ecosystem.
Using homoglyphs to evade prefix reservations, researchers said the NuGet campaign produces packages that look real but aren’t.
Attackers used IL weaving to alter legal DLLs and injected obfuscated module initializers, making malware detection difficult.
About 60 packages and 290 versions were identified by ReversingLabs in this campaign, all of which had already been deleted on NuGet.
This attack’s emerging tactics in supply chain threats involve software such as binary patches and advanced typosquatting.
This is important as it shows that development organizations should be more cautious and use advanced detection techniques against these stealthy attacks aimed at open-source package managers.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo