Infected NuGet Packages Unearthed Distributing the SeroXen Remote Administration Tool

Within the realm of information security, diligent researchers have unveiled a fresh wave of malicious packages distributed via the NuGet package manager. These packages employ a less recognized malware distribution strategy.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

ReversingLabs, a leading software supply chain security company, has been tracking this coordinated and persistent effort since August 1, 2023. They have also established a connection between this campaign and a significant number of malicious NuGet packages responsible for disseminating the SeroXen Remote Administration Tool (RAT).

“The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository and to continuously publish new malicious packages,” Karlo Zanki, a reverse engineer at ReversingLabs, said in a study that was shared with The Hacker News. “The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository,”

Here’s a list of some of these packages and their names:

• Configuration File for the Pathoschild Stardew Mod Build
• The KucoinExchange.Net website
• Exchange of the Kraken
• The Discords RPC
• SolanaWallet.com
• Monero’s Modern.Winform.UI (User Interface)
• Server for Minecraft Pocket Edition
• Root I Am
• Client Version 2 of the Zendesk API
• Forge.Open.AI.Betalgo.Open.AI.Open Source
• Build configuration file for the Pathoschild Stardew Mod.

Additionally, you’ll find frameworks such as CData.NetSuite.Net.Framework, CData.Salesforce.Net.Framework, and CData.Snowflake.API among the available options.

These packages, spanning multiple versions, cleverly mimic well-known packages and leverage NuGet’s MSBuild integrations feature to introduce malicious software to unsuspecting users. This is achieved by making use of a functionality called inline tasks, enabling the execution of code.

“This is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware,” according to Zanki.

What sets these now-removed packages apart is their common tactic of concealing malicious code. The threat actors behind this operation used spaces and tabs to move the code out of the default screen width, effectively hiding it from plain view. This distinctive trait separates these packages from the others.

As was previously exposed by Phylum, the downloaded count of the packages has been manipulated in order to give the impression that they are more authentic than they actually are. The end purpose of the decoy packages is to act as a conduit for retrieving a second-stage.NET payload that is housed on a throwaway GitHub repository. This is the final goal of the decoy packages.

“The threat actor behind this campaign is being careful and paying attention to details and is determined to keep this malicious campaign alive and active,” according to Zanki.