Rewterz Threat Update – SeroXen RAT Malware Distributed via Malicious NuGet Packages

Severity

Medium

Analysis Summary

Experts have discovered a new set of malicious packages uploaded to the NuGet package manager, stealthily using a lesser-known method for deploying malware. This campaign appears to be coordinated and has been ongoing since 1^st August, 2023. It has been observed to deliver a remote access trojan dubbed as SeroXen RAT.

The researchers stated in a report, “Research shows how malicious actors are continuously improving their techniques and responding to the disruption of their campaigns. Specifically, threat actors have moved from simple downloaders executing inside install scripts to a more refined approach that exploits NuGet’s MSBuild integrations feature.”

The packages used in the campaign pretend to be popular, legitimate packages and exploit NuGet’s MSBuild integrations feature to inject malicious code into the victim devices using a feature called inline tasks which can be used to achieve code execution. This is the first known example of a published malware on NuGet repository that exploits the inline tasks feature to execute it. Some of these packages are:

• KucoinExchange.Net
• Pathoschild.Stardew.Mod.Build.Config
• Kraken.Exchange
• SolanaWallet
• DiscordsRpc
• Monero
• MinecraftPocket.Server
• Modern.Winform.UI
• IAmRoot
• Betalgo.Open.AI
• ZendeskApi.Client.V2
• Forge.Open.AI
• CData.NetSuite.Net.Framework
• Pathoschild.Stardew.Mod.BuildConfig
• CData.Snowflake.API
• CData.Salesforce.Net.Framework

These packages have been removed now, and they shared similar characteristics with each other. For example, the threat actors behind the campaign tried to hide the malicious code by using spaces and tabs for moving it out of view of the default screen width.

They also have their download counts artificially inflated so they appear legitimate and trick unsuspecting users into downloading them. The goal of these malicious packages is to act as a decoy in order to retrieve the second-stage .NET payload that is placed on a throwaway GitHub repository.

Impact

• Code Execution
• Malware Installation

Remediation

• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.