.webp)
Executive Summary
There is a prolonged and organized cyber campaign aimed at compromising the NuGet package manager. This campaign, which began in August 2023, is characterized by the deployment of a large number of malicious NuGet packages. The threat actors involved have displayed a high level of sophistication, adapting their tactics over time. Initially, they relied on basic downloaders in install scripts, but they have since transitioned to exploiting NuGet’s MSBuild integrations. This shift in strategy indicates a significant level of technical proficiency and persistence on the part of the attackers.
Attack Vector
The attack vector employed by the threat actors centers around a technique known as “typosquatting.” This method involves creating packages with names that closely resemble popular and trusted ones. This can easily deceive developers who might not notice the subtle differences. Furthermore, the attackers have opted for an unconventional approach by placing their malicious code inside the <packageID>.targets file, located in the “build” directory. Typically, such code is found in initialization and post-installation PowerShell scripts. This deviation from the norm adds an extra layer of obscurity, making it harder for traditional security measures to detect the threat.
Attack Details
Within this campaign, the attackers have implemented a specific sequence of operations. The malicious code embedded within the .targets file is responsible for the download and execution of an executable from a remote location. This action is facilitated by the presence of MSBuild integrations, a feature introduced in NuGet version 2.5. These integrations permit the execution of executable code contained in inline tasks. By leveraging this capability, the attackers can run their malicious code in a manner that doesn’t immediately trigger conventional security alarms.
Tactics, Techniques, and Procedures (TTPs)
T1189 - Drive-by compromise
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
T1035 - Service Execution
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
T1105 – Ingress Tool Transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
T1027 - Obfuscated Files or Information
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
T1564.001 - Hide Artifacts: Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
Associated Bulletins
Malicious NuGet packages abuse MSBuild to install malware (bleepingcomputer.com)
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations (reversinglabs.com)
.jpg)
