Saturday, December 14, 2024
HomeCVE/vulnerabilityMalicious NuGet Campaign Tricking Developers To Inject Malicious Code

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Published on

SIEM as a Service

Hackers often target NuGet as it’s a popular package manager for .NET, which developers widely use to share and consume reusable code. 

Threat actors can distribute malicious code to many projects by compromising the NuGet packages.

In August 2023, ReversingLabs detected a malicious campaign against NuGet and noticed the change in techniques used by the threat actors.

- Advertisement - SIEM as a Service

Malicious NuGet Campaign

Earlier, they had been utilizing simple initialization scripts in more than 700 malignant packages and then switched to using *.targets files to exploit NuGet’s MSBuild integrations.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

The most recent variant uses obfuscated downloaders incorporated into genuine PE binaries using IL weaving.

To appear trustworthy, there were attempts like impersonation, typosquatting, and artificially inflating download counts.

IL weaving (Source – ReversingLabs)

This attack is an example of how these attackers can adjust their tactics as well as grow their skills to compromise the .NET ecosystem further.

This threat actor has been persistently targeting NuGet for over six months with advanced skills that have evolved to use IL weaving techniques.

This method enhances the detection complexity, as it injects malicious module initializers into legitimate .NET binaries.

Lately, attacks include patching DLL files from popular packages such as Guna.UI2.WinForms and using typosquatting to bypass NuGet’s prefix reservation system. Obfuscated SeroXen RAT is downloaded using the injected code.

Package with a reserved prefix (Source – ReversingLabs)

After all, while analyzing compiled binaries might be more complicated than plaintext scripts, ReversingLabs Spectra Assure, among others, can identify suspicious functionalities in these altered packages, consequently illustrating a cat-and-mouse game between threat actors and security measures within the NET ecosystem.

Using homoglyphs to evade prefix reservations, researchers said the NuGet campaign produces packages that look real but aren’t.

Attackers used IL weaving to alter legal DLLs and injected obfuscated module initializers, making malware detection difficult.

About 60 packages and 290 versions were identified by ReversingLabs in this campaign, all of which had already been deleted on NuGet.

This attack’s emerging tactics in supply chain threats involve software such as binary patches and advanced typosquatting.

This is important as it shows that development organizations should be more cautious and use advanced detection techniques against these stealthy attacks aimed at open-source package managers.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...