October 31, 2023 at 08:18AM
Malicious packages have been discovered on the NuGet package manager, deployed using a lesser-known method. The campaign, ongoing since August 2023, involves rogue packages delivering the SeroXen RAT remote access trojan. The threat actors behind the campaign are persistent, continuously publishing new malicious packages. The packages imitate popular ones and exploit NuGet’s MSBuild integrations feature to implant malicious code. This is the first known instance of malware published to the NuGet repository using this technique. The packages have artificially inflated download counts and act as a conduit for retrieving a second-stage .NET payload. The threat actor is determined to keep the campaign active.
During the meeting, the following key points were discussed:
– Cybersecurity researchers have discovered a new method for deploying malware through the NuGet package manager.
– The campaign, which has been ongoing since August 1, 2023, is described as coordinated and linked to rogue NuGet packages delivering the SeroXen RAT remote access trojan.
– The threat actors behind the campaign are persistent in their efforts to plant malware into the NuGet repository and continuously publish new malicious packages.
– Some of the names of the packages used in the campaign were listed, including imitations of popular packages as well as packages exploiting NuGet’s inline tasks feature.
– The malicious code was hidden by using spaces and tabs to move it out of view, and the packages had artificially inflated download counts to appear more legitimate.
– The decoy packages serve as a conduit for retrieving a second-stage .NET payload from a throwaway GitHub repository.
– The threat actor behind the campaign is meticulous, attentive to detail, and determined to sustain the malicious campaign.
If you have any further questions or require additional information, please let me know.