Malicious NuGet packages with millions of downloads are targeting users everywhere
Cybersecurity researchers at Phylum recently discovered a malware campaign on the NuGet package manager for the .NET Framework, attempting to trick people into infecting their endpoints with a remote access trojan (RAT) called SeroXen.
The unnamed threat actors updated a malicious package called Pathoschild.Stardew.Mod.Build.Config, a typosquat of a legitimate package with a similar name: Pathoschild.Stardew.ModBuildConfig. When the package runs, it triggers a PowerShell script, which downloads a file called x.bin (which is actually a Windows Batch script). This file builds and runs another PowerShell script that ultimately provides the SeroXen RAT.
For typosquatting attacks to work, victims must be distracted, burned out, or downright reckless. In this case, the attackers went one step further in an attempt to build legitimacy: they artificially increased the number of downloads. So while the correct package has around 80,000 downloads, the malicious package has more than 100,000 downloads. That way, even developers with a little more due diligence can still be tricked into downloading the wrong package.
Off the shelf
SeroXen is described as off-the-shelf malware and costs $60 for a lifetime bundle. The fileless RAT combines the features of Quasar RAT, the r77 rootkit, and the Windows command-line utility NirCmd, reports The Hacker News. According to Trend Micro’s analysis, SeroXen offers an “extensive list” of features, with some notable features including a Windows Defender guaranteed bypass for both scan time and runtime; FUD scan time and runtime evasion against most antivirus programs; hidden Virtual Network Computing (hVNC) and full modern Windows support.
βThe discovery of SeroXen RAT in NuGet packages only underscores how attackers continue to exploit open-source ecosystems and the developers who use them,β said Phylum.
While the researchers did not elaborate on who the targets might be, they did say that the same account that uploaded SeroXen uploaded six other packages, four of which mimicked libraries for different crypto services.
Through The hacker news