Threat Advisory

Analysis of Malicious NuGet Packages

By

By

Access Point Consulting

Executive Summary 

There is a prolonged and organized cyber campaign aimed at compromising the NuGet package manager. This campaign, which began in August 2023, is characterized by the deployment of a large number of malicious NuGet packages. The threat actors involved have displayed a high level of sophistication, adapting their tactics over time. Initially, they relied on basic downloaders in install scripts, but they have since transitioned to exploiting NuGet’s MSBuild integrations. This shift in strategy indicates a significant level of technical proficiency and persistence on the part of the attackers.

Attack Vector

The attack vector employed by the threat actors centers around a technique known as “typosquatting.” This method involves creating packages with names that closely resemble popular and trusted ones. This can easily deceive developers who might not notice the subtle differences. Furthermore, the attackers have opted for an unconventional approach by placing their malicious code inside the <packageID>.targets file, located in the “build” directory. Typically, such code is found in initialization and post-installation PowerShell scripts. This deviation from the norm adds an extra layer of obscurity, making it harder for traditional security measures to detect the threat.

Attack Details

Within this campaign, the attackers have implemented a specific sequence of operations. The malicious code embedded within the .targets file is responsible for the download and execution of an executable from a remote location. This action is facilitated by the presence of MSBuild integrations, a feature introduced in NuGet version 2.5. These integrations permit the execution of executable code contained in inline tasks. By leveraging this capability, the attackers can run their malicious code in a manner that doesn’t immediately trigger conventional security alarms.

Tactics, Techniques, and Procedures (TTPs)

T1189 - Drive-by compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

T1035 - Service Execution

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.

T1105 – Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

T1027 - Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

T1564.001 - Hide Artifacts: Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

Associated Bulletins

Malicious NuGet packages abuse MSBuild to install malware (bleepingcomputer.com)

IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations (reversinglabs.com)

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more