November 1, 2023 at 08:49AM
Threat actors are continuously publishing malicious NuGet packages as part of an ongoing campaign, exploiting code execution capabilities. The campaign, which began in August, has seen hundreds of malicious packages placed in the NuGet repository. The threat actors adapt their tactics, utilizing typosquatting and placing malicious functionality in .targets files to execute code. ReversingLabs has identified these packages and their strong links to previous attacks delivering malware. The threat actors behind the campaign persistently publish new malicious packages on a daily basis, making detection challenging.
Key takeaways from the meeting notes:
1. Ongoing campaign: There is an ongoing campaign where threat actors are continuously publishing malicious NuGet packages with hidden code execution capabilities. The campaign has been active since at least August and has resulted in several hundred malicious packages being published to the NuGet repository.
2. Evolving tactics: The threat actor behind the campaign has been observed updating tactics in response to disruptions. They are using more sophisticated approaches to code execution, including exploiting NuGet’s MSBuild integrations feature.
3. Typosquatting: Similar to previous attacks targeting other ecosystems like NPM, PyPI, and RubyGEMS, the threat actors are using typosquatting to trick developers into downloading the malicious packages.
4. Malicious functionality placement: Unlike previous malicious NuGet packages, the recently identified ones place the malicious functionality inside the .targets file in the ‘build’ directory. This technique is borrowed from the IAmRoot package and allows automatic execution of the code when built along with other packages.
5. First known example of malware: According to ReversingLabs, this is the first known example of malware published to the NuGet repository exploiting the inline tasks feature to execute malware.
6. Continuous publishing of new packages: The threat actors behind the campaign are persistent in their efforts to plant malware into the NuGet repository. ReversingLabs detects newly published packages on a daily basis, even after previous packages are removed.
7. Related attacks: The campaign appears to have strong links to two previously reported attacks, one delivering the SeroXen RAT and another leading to Impala Stealer infections. These attacks used the same delivery mechanism as the hundreds of malicious packages identified in August.
Overall, it is crucial to stay cautious while downloading packages from the NuGet repository to avoid potential malware infections. Continual monitoring and detection of malicious packages are necessary to mitigate the risks.