Targeted by Malicious NuGet Package: .NET Developers Exposed to SeroXen RAT

    The NuGet package manager for the .NET Framework has been compromised, and a malicious package called Pathoschild.Stardew.Mod.Build.Config has been found to contain the SeroXen RAT remote access trojan. This package, published by a user named Disti, is designed to mimic a legitimate package called Pathoschild.Stardew.ModBuildConfig. The malicious package has artificially inflated its download count to over 100,000, while the legitimate package has only received around 79,000 downloads.

    Disti, the user behind the package, has also published six other packages that have received a total of 2.1 million downloads. Four of these packages pretend to be crypto service libraries for Kraken, KuCoin, Solana, and Monero, but they also deploy the SeroXen RAT.

    The attack begins when the malicious package is installed, triggering a script called tools/init.ps1 that executes arbitrary commands without raising any warnings. This behavior was previously identified by JFrog in March 2023. In this case, the script downloads a file named x.bin, which is actually a heavily-obfuscated Windows Batch script. This batch script then constructs and executes another PowerShell script to deploy the SeroXen RAT.

    The SeroXen RAT is a fileless RAT that combines the functions of the Quasar RAT, the r77 rootkit, and the NirCmd command-line tool. It is available for purchase for $60, making it easily accessible for cybercriminals.

    The discovery of the SeroXen RAT in NuGet packages highlights the ongoing exploitation of open-source ecosystems and the developers who use them, according to Phylum.

    In addition to the NuGet package manager, the Python Package Index (PyPI) has also been targeted by malicious packages. These packages impersonate legitimate offerings from cloud service providers and transmit credentials to a hidden remote URL. The attackers have used typosquatting and StarJacking techniques to lure developers to these malicious packages.

    It is crucial for developers to stay vigilant and verify the authenticity of packages before installing them. Software supply chain security is a critical aspect of ensuring the integrity and security of applications.

    Latest articles

    Related articles