Malicious NuGet Package Linked to Industrial Espionage Targets Developers

Malicious NuGet Package Linked to Industrial Espionage Targets Developers

March 26, 2024 at 01:33PM

Threat hunters have flagged the suspicious “SqzrFramework480” package in NuGet, possibly linked to Chinese firm Bozhon Precision. The package contains a DLL file with features for taking screenshots, pinging a remote IP, and transmitting screenshots over a socket. While motives remain unclear, it highlights the risk of concealed malicious code in software supply chains, emphasizing the need for scrutiny before downloading.

Key Takeaways from the Meeting Notes:

1. Threat hunters identified a suspicious package, SqzrFramework480, in the NuGet package manager designed to target developers working with tools made by a Chinese firm specializing in industrial and digital equipment manufacturing.
2. The package includes a DLL file with features to take screenshots, ping a remote IP address every 30 seconds, and transmit the screenshots over a socket to the connected IP address.
3. The package’s association with the Chinese firm Bozhon Precision Industry Technology Co., Ltd. is evidenced by the use of the company’s logo for the package’s icon and the uploader’s NuGet user account name, “zhaoyushun1999.”
4. The package’s exact motive remains unclear; it could be utilized for industrial espionage or potentially leaked from the company.
5. The findings highlight the complex nature of supply chain threats and emphasize the importance of scrutinizing libraries prior to download from open-source repositories like NuGet.
6. Security researcher Petar Kirhmajer emphasized the increasing presence of suspicious and malicious packages in open-source repositories, urging users to exercise caution.

Let me know if you need any further clarification or summary of the meeting notes.

Full Article