Around 60 Latest Malevolent Packages Discovered in NuGet Supply Chain Breach

July 11, 2024PressroomSoftware Safety / Menace Intelligence

Malevolent actors have been noticed releasing a fresh surge of harmful bundles to the NuGet packet manager as part of a continuous operation that began in August 2023, while also incorpo

July 11, 2024PressroomSoftware Safety / Menace Intelligence

60 New Malicious Packages Uncovered in NuGet Supply Chain Attack

Malevolent actors have been noticed releasing a fresh surge of harmful bundles to the NuGet packet manager as part of a continuous operation that began in August 2023, while also incorporating a new level of secrecy to sidestep detection.

The recent bundles, approximately 60 in total across 290 iterations, showcase a polished technique from the prior set that was exposed in October 2023, software packet safety company ReversingLabs disclosed.

The attackers shifted from employing NuGet’s MSBuild integrations to “a tactic that utilizes simple, camouflaged downloaders that are integrated into legitimate PE binary documents utilizing Intermediary Language (IL) Weaving, a .NET programming method for changing an application’s code after compilation,” safety analyst Karlo Zanki expressed.

The ultimate aim of the bogus bundles, both old and new, is to dispatch an off-the-shelf remote access trojan identified as SeroXen RAT. Every identified bundle has by now been eliminated.

The most recent collection of bundles is distinguished by the utilization of an inventive technique known as IL weaving, which permits the insertion of malevolent functionalities into an authentic Portable Executable (PE) .NET binary taken from a genuine NuGet bundle.

This encompasses manipulating well-liked open-source bundles like Guna.UI2.WinForms and merging it with the aforementioned method to shape a pretender bundle named “Gսոa.UI3.Wіnfօrms,” which employs homoglyphs to substitute the letters “u,” “n,” “i,” and “o” with their corresponding symbols “ս” (u057D), “ո” (u0578), “і” (u0456). and “օ” (u0585).

“Malevolent actors are steadily enhancing the strategies and tactics they employ to breach and contaminate their targets with malevolent code that is used to extract sensitive data or give attackers authority over IT resources,” Zanki mentioned.

“This latest operation reveals new methods in which malevolent actors are conspiring to deceive developers as well as safety teams into downloading and deploying malevolent or tampered packages from famous open-source bundle managers like NuGet.”

Discovered this article intriguing? Follow us on Twitter and LinkedIn to explore more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts