Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection.
The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the previous set that came to light in October 2023, software supply chain security firm ReversingLabs said.
The attackers pivoted from using NuGet’s MSBuild integrations to “a strategy that uses simple, obfuscated downloaders that are inserted into legitimate PE binary files using Intermediary Language (IL) Weaving, a .NET programming technique for modifying an application’s code after compilation,” security researcher Karlo Zanki said.
The end goal of the counterfeit packages, both old and new, is to deliver an off-the-shelf remote access trojan called SeroXen RAT. All the identified packages have since been taken down.
The latest collection of packages is characterized by the use of a novel technique called IL weaving that makes it possible to inject malicious functionality to a legitimate Portable Executable (PE) .NET binary taken from a legitimate NuGet package.
This includes taking popular open-source packages like Guna.UI2.WinForms and patching it with the aforementioned method to create an imposter package that’s named “Gսոa.UI3.Wіnfօrms,” which uses homoglyphs to substitute the letters “u,” “n,” “i,” and “o” with their equivalents “ս” (u057D), “ո” (u0578), “і” (u0456). and “օ” (u0585).
“Threat actors are constantly evolving the methods and tactics they use to compromise and infect their victims with malicious code that is used to extract sensitive data or provide attackers with control over IT assets,” Zanki said.
“This latest campaign highlights new ways in which malicious actors are scheming to fool developers as well as security teams into downloading and using malicious or tampered with packages from popular open source package managers like NuGet.”
