Malicious NuGet Campaign Exploits Homoglyphs and Code Injection to Fool Developers
ReversingLabs, a leading software supply chain security firm, has uncovered a sophisticated malicious campaign targeting the NuGet package manager, a widely-used platform for distributing .NET software components. This campaign, active since August 2023, demonstrates the evolving tactics of threat actors seeking to compromise developer environments and deliver malware.
Initially, attackers employed simple PowerShell scripts within malicious NuGet packages to download and install malware. However, as these methods became easier to detect, the attackers adapted their tactics. They began exploiting NuGet’s MSBuild integrations feature and ultimately resorted to patching legitimate .NET binaries with malicious code using a technique called IL (Intermediate Language) weaving.
Package with a reserved prefix | Image: ReversingLabs
In October 2023, the ReversingLabs (RL) research team identified over 700 malicious packages within the NuGet repository. These packages featured simple PowerShell scripts for initialization and post-installation, embedding malicious downloaders that connected to a command-and-control (C2) server. These packages were easily identifiable by unusual install script links and their lack of legitimate functionality.
As the campaign progressed, the attackers adopted a lesser-known technique exploiting NuGet’s MSBuild integrations. They embedded malicious code into build tasks within *.targets files, ensuring execution every time a project was built. The attackers meticulously crafted their packages to appear trustworthy, using typosquatting, impersonation, and inflated download counts.
By the end of October, the attackers began using IL weaving to inject malicious functionality into legitimate .NET binaries. This technique involves decompiling a legitimate binary, adding the desired malicious functionality, and recompiling it. Libraries like Mono.Cecil and tools like Fody facilitate this process, allowing for sophisticated malware insertion.
A notable tactic in this campaign involved homoglyphs—characters that look similar but have different digital identifiers. For instance, the attackers created a malicious package named Gսոa.UI3.Wіnfօrms, mimicking the legitimate Guna.UI2.WinForms package. This deceit leveraged homoglyph characters like Armenian “ս” and Latin “u,” visually identical but digitally distinct.
The malicious packages used IL weaving to inject a module initializer, ensuring their code executed first when the .NET module loaded. These initializers facilitated the download of a second stage malware, the obfuscated SeroXen RAT. The attackers’ use of DLL files, which require specific execution conditions, further complicated detection.
Developers must exercise heightened caution when incorporating third-party components, even from trusted sources like NuGet. Utilizing advanced security tools like ReversingLabs Spectra Assure, which can analyze binaries for hidden threats, becomes increasingly essential in identifying and mitigating such risks.
