October 12, 2023 at 09:57AM
A malicious package named Pathoschild.Stardew.Mod.Build.Config has been found on the NuGet package manager. It delivers a remote access trojan called SeroXen RAT. The package is a typosquat of a legitimate package and has artificially inflated its download count to over 100,000. The profile behind the package has published six other packages that deploy SeroXen RAT. Additionally, there have been seven malicious packages found on the Python Package Index that impersonate legitimate offerings from cloud service providers to steal credentials. These attacks highlight the exploitation of open-source ecosystems.
In the meeting notes, it was discussed that a malicious package called Pathoschild.Stardew.Mod.Build.Config, published on the NuGet package manager for the .NET Framework, was found to deliver a remote access trojan called SeroXen RAT. The package is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig. The malicious variant of the package artificially inflated its download count to surpass 100,000 downloads. The profile behind the package has also published six other packages that masquerade as libraries for crypto services, but are designed to deploy SeroXen RAT.
The attack chain starts during installation of the package with a PowerShell script that ultimately deploys the SeroXen RAT. SeroXen RAT is a fileless RAT that combines the functions of Quasar RAT, the r77 rootkit, and NirCmd. It is offered for sale for $60, making it accessible to cyber criminals.
Furthermore, it was mentioned that seven malicious packages were detected on the Python Package Index (PyPI) repository. These packages impersonate legitimate offerings from cloud service providers like Aliyun, AWS, and Tencent Cloud to steal credentials. The attackers aim to exfiltrate sensitive cloud credentials by inserting a single bit of malicious code into an existing codebase.
It was also noted that the malicious campaign targets Telegram through a deceptive package named telethon2 that mimics the legitimate Python library, telethon.
Finally, another campaign aimed at PyPI was exposed. This campaign involved seeding the software supply chain with 271 malicious Python packages to steal sensitive data and cryptocurrency from Windows hosts. The packages were downloaded approximately 75,000 times before being taken down.
It is important to be vigilant when downloading packages from open-source ecosystems and to verify the legitimacy of the packages to ensure the security of systems and sensitive data.