Sicoob SDK Banking Malware Exploits NuGet Developer Channels

A dangerous new supply chain threat has targeted financial software developers. Specifically, security researchers at Socket recently uncovered a major Sicoob SDK banking malware operation. Rogue actors uploaded a fraudulent package called Sicoob.Sdk directly onto the NuGet repository marketplace. This rogue library successfully mimics official C# developer tooling to deceive financial organizations. Consequently, developers face severe infrastructure risks if they pull this malicious resource into their environment. Therefore, engineering teams must evaluate their external package dependencies immediately.

Understanding the Infiltration Map

Sicoob represents one of the largest cooperative financial systems operating in Brazil. Therefore, automated tools and enterprise APIs constantly handle critical transaction materials for millions of users. Furthermore, the threat actors took advantage of this busy financial ecosystem by creating a realistic decoy package. To maximize its reach, the fake library explicitly claimed to manage mutual TLS certificates natively within modern .NET 8 environments.

However, security scanners quickly flagged versions 2.0.0 through 2.0.4 as highly malicious code. Analysts confirmed that the asset intentionally executes a dangerous NuGet supply chain attack against corporate networks. This specific tool hides its credential harvesting capabilities directly inside a constructor-time execution path. As a result, the malware triggers its malicious actions before any safety checks can intervene.

The Exfiltration of Private Keys

The payload aggressively targets critical data during initial configuration phases. Specifically, “When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the package reads the PFX file from disk, base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint”. This password-protected archive usually safeguards the client certificate and the private key. Furthermore, the malware records raw invoice records and transaction responses silently. Clearly, this unauthorized harvesting goes far beyond legitimate corporate diagnostics.

A Clever GitHub Source Façade

Interestingly, the malicious actors built an elaborate infrastructure layer to mask their illegal behavior. To achieve this, they established a suspicious public GitHub organization named Sicoob-Cooperativa. The associated source repositories presented normal, benign SDK behaviors to web researchers.

However, a massive discrepancy existed between the repository and the final binary file. The team noted, “The visible source does not contain the Sentry initialization, Sentry message capture, hardcoded Sentry endpoint, PFX file-read telemetry path, or base64 certificate exfiltration logic found in the distributed NuGet DLL”. Therefore, the developers utilized the clean public repository merely as a deceptive façade. This clever trick successfully masked the active Sicoob SDK banking malware from standard code reviews.

Severe Potential Financial Damage

The consequences of a successful compromise remain highly devastating for an enterprise. For instance, an adversary can easily bypass standard perimeter boundaries using the stolen credentials. “Depending on the permissions tied to the client ID and certificate, the threat actor could generate tokens and access financial API data, Pix instant-payment operations, boleto operations, account balances and statements, payments, transfers, investment data, savings account data, or Open Finance consent and payment-initiation functions”. Furthermore, this exposure directly threatens continuous delivery integration pipelines. Consequently, automated deployment environments frequently process these private files as high-privilege build secrets.

Search Systems Amplifying Risks

In addition, the campaign weaponized search engines to increase its victim pool. Specifically, automated search summaries mistakenly surfaced the malicious artifact as an ordinary recommendation. “The impersonation also extended into developer discovery paths: during the investigation, Google’s Al search experience surfaced Sicoob.Sdk as the NuGet package for .NET-based Sicoob API integration, increasing the likelihood that developers could land on the malicious package through routine search.” Therefore, unsuspecting engineers trusted the repository link based on automated summaries. Clearly, this amplification highlights the growing complexity of modern package discovery channels.

Immediate Remediation Requirements

Fortunately, the NuGet security administrators promptly blocked the rogue account after receiving reports. Nevertheless, engineers must manually inspect their local environments to verify safety. “Organizations should remove Sicoob.Sdk immediately and determine whether any application, developer workstation, build job, or production service instantiated SicoobClient with real credentials”.

Ultimately, companies should treat any exposed certificate archive material as completely compromised. You must revoke existing credentials and rotate all associated passwords immediately. In addition, security operations teams must monitor access logs for unusual source internet protocol addresses. Proactive code auditing remains the absolute best method to defend modern software dependencies.