Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, and adding a new layer of stealth to avoid detection.
The new packages, about 60 of the 290 versions, show an improved approach compared to the previous set, which came to light in October 2023, software supply chain security company ReversingLabs said.
Attackers have moved from using MSBuild’s NuGet integration to “a strategy that uses simple, obfuscated loaders that are inserted into legitimate PE binaries using Intermediary Language (IL) Weaving, a .NET programming method to modify application code after compilation,” security researcher Carlo Zanca said.
The ultimate goal of fake packages, both old and new, is to deliver a standard remote access trojan called SeroXen RAT. All identified packages have since been removed.
The latest collection of packages is characterized by the use of a new technique called IL weaving which makes it possible to inject malicious functionality into a legitimate Portable Executable (PE) .NET binary extracted from a legitimate NuGet package.
This includes using popular open source packages such as Guna.UI2.WinForms and fix it using the above method to create a self-calling package called “Gсоa.UI3.Wінfօrms” that uses amoglyphs to replace the letters “u”, “n”, “i” and “o” with their “ս” equivalents. ” (\u057D), “о” (\u0578), “and” (\u0456). and “օ” (\u0585).
“Threat actors are constantly evolving the methods and tactics they use to compromise and infect their victims with malicious code used to extract sensitive data or give attackers control over IT assets,” said Zankey.
“This latest campaign highlights new ways in which attackers plan to trick developers as well as security services into downloading and using malicious or fake packages from popular open source package managers like NuGet.”
