13.8 C
Tuesday, October 31, 2023

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Oct 31, 2023NewsroomSoftware program Safety / Malware

Malicious NuGet Packages

Cybersecurity researchers have uncovered a brand new set of malicious packages printed to the NuGet bundle supervisor utilizing a lesser-known technique for malware deployment.

Software program provide chain safety agency ReversingLabs described the marketing campaign as coordinated and ongoing since August 1, 2023, whereas linking it to a host of rogue NuGet packages that had been noticed delivering a distant entry trojan referred to as SeroXen RAT.

“The menace actors behind it are tenacious of their need to plant malware into the NuGet repository, and to repeatedly publish new malicious packages,” Karlo Zanki, reverse engineer at ReversingLabs, stated in a report shared with The Hacker Information.


The names of among the packages are under –

  • Pathoschild.Stardew.Mod.Construct.Config
  • KucoinExchange.Internet
  • Kraken.Trade
  • DiscordsRpc
  • SolanaWallet
  • Monero
  • Fashionable.Winform.UI
  • MinecraftPocket.Server
  • IAmRoot
  • ZendeskApi.Shopper.V2
  • Betalgo.Open.AI
  • Forge.Open.AI
  • Pathoschild.Stardew.Mod.BuildConfig
  • CData.NetSuite.Internet.Framework
  • CData.Salesforce.Internet.Framework
  • CData.Snowflake.API

These packages, which span a number of variations, imitate common packages and exploit NuGet’s MSBuild integrations function to be able to implant malicious code on their victims, a function referred to as inline duties to realize code execution.

Malicious NuGet Packages

“That is the primary recognized instance of malware printed to the NuGet repository exploiting this inline duties function to execute malware,” Zanki stated.

The now-removed packages exhibit comparable traits in that the menace actors behind the operation tried to hide the malicious code by making use of areas and tabs to maneuver it out of view of the default display screen width.

As beforehand disclosed by Phylum, the packages even have artificially inflated downloaded counts to make them seem extra reliable. The final word aim of the decoy packages is to behave as a conduit for retrieving a second-stage .NET payload hosted on a throwaway GitHub repository.

“The menace actor behind this marketing campaign is being cautious and listening to particulars, and is set to maintain this malicious marketing campaign alive and energetic,” Zanki stated.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.

Latest news
Related news


Please enter your comment!
Please enter your name here