October 31, 2023 at 10:29AM
A new NuGet typosquatting campaign has been discovered that uses malicious packages to exploit Visual Studio’s MSBuild integration and install malware. This campaign targets Windows users and is the first documented case of threat actors leveraging this feature in malicious NuGet packages. The attackers continually refine their techniques, with earlier versions using PowerShell scripts to fetch the malware payload. There are also ties to a previous typosquatting campaign that delivered SeroXen RAT.
Key takeaways from the meeting notes are as follows:
1. There is a new NuGet typosquatting campaign that involves pushing malicious packages to abuse Visual Studio’s MSBuild integration. The packages are designed to execute code and install malware without detection.
2. NuGet is an open-source package manager that allows developers to download and use .NET libraries for their projects.
3. Threat actors who previously targeted software distribution systems like npm and PyPI are now showing interest in NuGet due to its popularity among Windows users and software developers.
4. In this specific campaign, different typosquatting packages were utilized to install malware. Some examples of these packages include CData.NetSuite.Net.Framework, CData.Salesforce.Net.Framework, DiscordsRpc, Kraken.Exchange, and MinecraftPocket.Server.
5. The unique aspect of this campaign is that instead of using downloaders in the install scripts, the malicious packages exploit NuGet’s MSBuild integration for code execution.
6. NuGet’s MSBuild integration allows for custom actions, dependency resolution, and automation of the build and testing process in software projects. However, this feature has raised security concerns as it enables scripts to run automatically when a package is installed.
7. The malicious code in these packages is hidden within the ‘\build’ folder and is implemented using the property in the
8. Upon execution, the code fetches an executable from an external source and runs it in a new process.
9. This technique of abusing the MSBuild process was first demonstrated by a security researcher in 2019, but this is the first documented case of threat actors using it in malicious NuGet packages.
10. The campaign has been ongoing since August 2023, but the attackers only started leveraging MSBuild integrations in mid-October. Earlier versions of the campaign used PowerShell scripts to fetch malware payloads from a GitHub repository.
11. There are indications of a connection between this campaign and another campaign reported earlier in the month, where typosquatting was used to distribute SeroXen RAT, a remote access Trojan.
12. The threat actors behind the campaign are persistent, attempting to upload new packages immediately after previous ones are removed, indicating their intent to continue the campaign.