Malicious NuGet packages abuse MSBuild to install malware

A caller NuGet typosquatting run pushes malicious packages that maltreatment Visual Studio's MSBuild integration to execute codification and instal malware stealthily.

NuGet is an open-source package head and package distribution system, enabling developers to download and see ready-to-run .NET libraries for their projects.

Threat actors who target package distribution systems for illustration npm and PyPI person precocious shown liking successful NuGet, which predominantly targets Windows users and has go very celebrated among package developers.

Hiding codification pinch MSBuild

The latest NuGet run was spotted by ReversingLabs on October 15, 2023, utilizing different typosquatting packages to instal malware.

Some of nan packages seen successful this run include:

• CData.NetSuite.Net.Framework
• CData.Salesforce.Net.Framework
• Chronos.Platforms
• DiscordsRpc
• Kraken.Exchange
• KucoinExchange.Net
• MinecraftPocket.Server
• Monero
• Pathoschild.Stardew.Mod.Build.Config
• SolanaWallet
• ZendeskApi.Client.V2

The caller constituent successful this run is that alternatively of utilizing nan modular attack of incorporating downloaders successful nan instal scripts, these packages leverage NuGet's MSBuild integration for codification execution.

NuGet's MSBuild integrations is simply a characteristic introduced successful NuGet v2.5 pinch nan goals of supporting autochthonal projects, automating nan build and testing process, and giving developers nan expertise to specify civilization actions and resoluteness dependencies.

When NuGet installs a package containing a '\build' folder, it automatically adds an MSBuild <Import> constituent to nan project, referencing nan .targets and .props files successful that folder. The build process uses these files to group configurations, properties, aliases civilization tasks.

Although added to heighten nan build and packaging process for package projects, this caller NuGet integration has raised concerns about nan information implications it introduces, arsenic it adds a caller method to automatically tally scripts erstwhile a package is installed.

In nan lawsuit spotted by ReversingLabs, nan malicious codification is hidden wrong nan <packageID>.targets record successful nan "build" directory arsenic a <Code> spot that implements nan functionality of PowerShell scripts utilized successful erstwhile versions of nan packages.

Malicious codification wrong nan 'targets' file (ReversingLabs)

Upon execution, nan codification fetches an executable from an outer reside and runs it successful a caller process.

Code execution and malware loading process (ReversingLabs)

This method was first introduced by a security interrogator successful 2019 to exemplify really nan MSBuild process tin beryllium abused to tally codification erstwhile NuGet packages are installed.

"First, nan drawstring artifact successful nan first statement of nan file, 'IAmRootDemo' led america to nan guidelines of this execution technique," explains ReversingLab's Karlo Zanki in a study shared pinch BleepingComputer.

"Several years ago, successful 2019, the IAmRoot package was published by C. Augusto Proiete. The intent of nan package: 'To show that immoderate NuGet package tin tally arbitrary codification connected your machine.'"

However, this is nan first documented lawsuit of threat actors leveraging this characteristic successful malicious NuGet packages.

Evolution of existing campaigns

ReversingLabs reports that nan NuGet packages they spotted, which person been removed, were portion of an ongoing run that started successful August 2023.

However, it didn't maltreatment MSBuild integrations until mid-October.

Earlier versions utilized PowerShell scripts ('init.ps1') to fetch nan malware payload from a GitHub repository.

This indicates that nan attackers continually refine their techniques to make nan attacks stealthier.

The analysts besides study watching beardown ties to a campaign reported by Phylum astatine nan commencement of nan month, wherever nan attackers utilized typosquatting to mimic crypto projects and present SeroXen RAT. 

ReversingLabs reports that nan threat actors instantly attempted to upload caller packages aft erstwhile ones were removed, showing intent to proceed nan campaign.