Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection.
The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the previous set that came to light in October 2023, software supply chain security firm ReversingLabs said.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The attackers pivoted from using NuGet’s MSBuild integrations to “a strategy that uses simple, obfuscated downloaders that are inserted into legitimate PE binary files using Intermediary Language (IL) Weaving, a .NET programming technique for modifying an application’s code after compilation,” security researcher Karlo Zanki said.
The end goal of the counterfeit packages, both old and new, is to deliver an off-the-shelf remote access trojan called SeroXen RAT. All the identified packages have since been taken down.
The latest collection of packages is characterized by the use of a novel technique called IL weaving that makes it possible to inject malicious functionality to a legitimate Portable Executable (PE) .NET binary taken from a legitimate NuGet package.
This includes taking popular open-source packages like Guna.UI2.WinForms and patching it with the aforementioned method to create an imposter package that’s named “Gսոa.UI3.Wіnfօrms,” which uses homoglyphs to substitute the letters “u,” “n,” “i,” and “o” with their equivalents “ս” (\u057D), “ո” (\u0578), “і” (\u0456). and “օ” (\u0585).
“Threat actors are constantly evolving the methods and tactics they use to compromise and infect their victims with malicious code that is used to extract sensitive data or provide attackers with control over IT assets,” Zanki said.
“This latest campaign highlights new ways in which malicious actors are scheming to fool developers as well as security teams into downloading and using malicious or tampered with packages from popular open source package managers like NuGet.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk