Detection of Malicious NuGet Packages Distributing SeroXen RAT Malware

    Cybersecurity experts recently uncovered new malicious packages in the NuGet package manager. This campaign kicked off on August 1, 2023. It delivers a remote access trojan named SeroXen RAT via deceptive NuGet packages. The software supply chain security firm, ReversingLabs, has pinpointed this campaign as both ongoing and meticulously coordinated.

    ReversingLabs highlights that the culprits behind this campaign consistently aim to breach the NuGet repository. They consistently release new rogue packages. Karlo Zanki, a reverse engineer at ReversingLabs, shared insights with The Hacker News. He detailed how these packages exploit a NuGet’s MSBuild integrations feature loophole. This loophole, known as inline tasks, allows them to plant and run malicious code on the targeted systems.

    Some affected packages carry well-known names. Examples include Pathoschild.Stardew.Mod.Build.Config, KucoinExchange.Net, and Kraken.Exchange, among others. Intriguingly, this marks the first time malware exploiting the inline tasks feature has appeared in the NuGet repository. Furthermore, these malicious packages, now deleted, cleverly use spaces and tabs. This tactic hides their malicious code. They also boost their download counts to seem more genuine. Lastly, these rogue packages fetch a second-stage .NET payload from a temporary GitHub repository.

    Zanki underscores the threat actor’s tenacity in this campaign. He points out their meticulous efforts to keep this malicious drive both active and concealed.

    Latest articles

    Related articles