A sophisticated malware campaign targeting the NuGet package manager has been uncovered by researchers. The ongoing attack, which began in August 2023, has evolved to employ advanced techniques like homoglyphs and IL weaving to evade detection and fool developers.
NuGet is a Microsoft-supported mechanism for sharing to allow developers to create, share, and consume .NET (including .NET Core code.
The threat actors have refined their methods over time, moving from simple initialization scripts to more complex approaches to impersonate protected NuGet prefixes to inject malicious code into legitimate .NET binaries.
Homoglyph Attacks Bypass Security Measures
Researchers from ReversingLabs observed, that in a a clever twist, attackers had exploited NuGet’s support for homoglyphs to circumvent the platform’s prefix reservation system. By using visually identical but technically distinct characters, they created package names that appeared legitimate but weren’t subject to the usual restrictions.
One of the most notable techniques used in this campaign is the use of homoglyphs, unique characters that look identical but have different digital identifiers. The attackers used homoglyphs to create a package that convincingly mimics those that use the reserved “Guna” prefix, a security feature of NuGet.
For example, the malicious package “Gսոa.UI3.Wіnfօrms” used Armenian and Cyrillic characters to mimic the “Guna” prefix, allowed the attackers to publish packages that looked official but contained malicious code.
The campaign’s latest phase employs IL weaving, a technique that modifies compiled .NET binaries. Attackers patch legitimate DLL files to include malicious module initializers, which execute when the module is first loaded.
This approach makes detection more challenging, as the malicious code is embedded within otherwise legitimate binaries. The injected code typically functions as a downloader, retrieving additional malware from attacker-controlled servers.
Researchers identified approximately 60 packages and 290 versions involved in this campaign. While the affected packages have been removed from NuGet, the evolving nature of the attack underscores the need for heightened vigilance in the software supply chain.
Evolved Tactics
The threat actors behind this campaign have continually refined their tactics, evolving from exploiting NuGet’s MSBuild integrations to using simple, obfuscated downloaders inserted into legitimate PE binary files via IL weaving. This technique allows them to add malicious functionality to compiled .NET binaries, making it harder to detect.
The detection of these malicious packages is challenging due to the use of homoglyphs and IL weaving. Traditional detection methods, such as YARA, may not be effective in identifying these threats. However, behavioral analysis can help identify suspicious packages and indicators of compromise.
This latest campaign highlights the importance of staying ahead of malicious actors and their evolving tactics. The use of homoglyphs and IL weaving demonstrates the creativity and determination of attackers to deceive developers and security teams. It is crucial for development organizations to prioritize software supply chain security and stay informed about emerging threats.
Researchers have shared potential Indicators of Compromise (IOCs) for this campaign to NuGet administrators, with identified packages removed from the platform. It is essential for developers to remain vigilant and report any suspicious packages to ensure the security of the software supply chain.