Malicious NuGet Package Linked to Industrial Espionage Targets Developers

Avatar
Threat hunters have identified a suspicious package in the NuGet package manager that’s likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing. The package in question is SqzrFramework480, which ReversingLabs said was first published on January 24, 2024. It has been downloaded 

Threat hunters have identified a suspicious package in the NuGet package manager that’s likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing.

The package in question is SqzrFramework480, which ReversingLabs said was first published on January 24, 2024. It has been downloaded 2,999 times as of writing.

The software supply chain security firm said it did not find any other package that exhibited similar behavior.

It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms.

The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company’s logo for the package’s icon. It was uploaded by a Nuget user account called “zhaoyushun1999.”

Present within the library is a DLL file “SqzrFramework480.dll” that comes with features to take screenshots, ping a remote IP address after every 30 seconds until the operation is successful, and transmit the screenshots over a socket created and connected to said IP address.

“None of those behaviors are resolutely malicious. However, when taken together, they raise alarms,” security researcher Petar Kirhmajer said. “The ping serves as a heartbeat check to see if the exfiltration server is alive.”

The malicious use of sockets for data communication and exfiltration has been observed in the wild previously, as in the case of the npm package nodejs_net_server.

The exact motive behind the package is unclear as yet, although it’s a known fact that adversaries are steadily resorting to concealing nefarious code in seemingly benign software to compromise victims.

An alternate, innocuous explanation could be that the package was leaked by a developer or a third party that works with the company.

“They may also explain seemingly malicious continuous screen capture behavior: it could simply be a way for a developer to stream images from the camera on the main monitor to a worker station,” Kirhmajer said.

The ambiguity surrounding the package aside, the findings underscore the complicated nature of supply chain threats, making it imperative that users scrutinize libraries prior to downloading them.

“Open-source repositories like NuGet are increasingly hosting suspicious and malicious packages designed to attract developers and trick them into downloading and incorporating malicious libraries and other modules into their development pipelines,” Kirhmajer said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Next Post

CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

Related Posts

Combating IP Leaks into AI Applications with Free Discovery and Risk Reduction Automation

Wing Security announced today that it now offers free discovery and a paid tier for automated control over thousands of AI and AI-powered SaaS applications. This will allow companies to better protect their intellectual property (IP) and data against the growing and evolving risks of AI usage. SaaS applications seem to be multiplying by the day, and so does their integration of AI
Avatar
Read More

Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

A Linux version of a multi-platform backdoor called DinodasRAT has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan, new findings from Kaspersky reveal. DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts. In October 2023, Slovak cybersecurity firm ESET&nbsp
Avatar
Read More