Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Cybersecurity experts have discovered a fresh batch of malicious packages distributed through the NuGet package manager, employing a less conventional technique for deploying malware.

The software supply chain security firm ReversingLabs characterized this campaign as a well-coordinated and persistent effort that has been active since August 1, 2023. They established a connection between the campaign and a collection of illicit NuGet packages, which were found to be distributing a remote access trojan known as SeroXen RAT.

Karlo Zanki, a reverse engineer at ReversingLabs, commented in a report shared with The Hacker News that the threat actors responsible for this activity exhibit unwavering determination to inject malware into the NuGet repository and consistently release fresh malicious packages.

The names of some of the packages are below –

  • Pathoschild.Stardew.Mod.Build.Config
  • KucoinExchange.Net
  • Kraken.Exchange
  • DiscordsRpc
  • SolanaWallet
  • Monero
  • Modern.Winform.UI
  • MinecraftPocket.Server
  • IAmRoot
  • ZendeskApi.Client.V2
  • Betalgo.Open.AI
  • Forge.Open.AI
  • Pathoschild.Stardew.Mod.BuildConfig
  • CData.NetSuite.Net.Framework
  • CData.Salesforce.Net.Framework
  • CData.Snowflake.API

These packages, spanning across multiple versions, mimic widely-used packages and leverage NuGet’s MSBuild integration feature to insert malicious code onto targeted systems. This technique, known as inline tasks, is employed to achieve code execution.

“This marks the initial instance of malware being distributed through the NuGet repository by exploiting the inline tasks feature for executing malicious code,” stated Zanki.

The recently removed packages share common traits, with the threat actors endeavoring to hide the malicious code by utilizing spaces and tabs to keep it out of the default screen width’s view.

As previously reported by Phylum, these packages also feature artificially boosted download counts to give the impression of legitimacy. The primary objective of these deceptive packages is to serve as a bridge for obtaining a second-stage .NET payload hosted on a temporary GitHub repository.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!