Cyber: Malicious Nuget Packages Stole Asp.net Data; Npm Package Dropped...

Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.

The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.

The NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been taken down from the repository following responsible disclosure, but not before attracting more than 4,500 downloads.

According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It's worth noting that NCryptYo attempts to masquerade as the legitimate NCrypto package.

DOMOAuth2_ and IRAOAuth2.0 steal Identity data and backdoor apps, while SimpleWriter_ features unconditional file writing and hidden process execution capabilities while presenting itself as a PDF conversion utility. An analysis of package metadata has revealed identical build environments, indicating that the campaign is the work of a single threat actor.

"NCryptYo is a stage-1 execution-on-load dropper," security researcher Kush Pandya said. "When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary - a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker's external C2 server, whose address is resolved dynamically at runtime."

Once the proxy is active, DOMOAuth2_ and IRAOAuth2.0 begin transmitting the ASP.NET Identity data through the local proxy to the external infrastructure. The C2 server responds with authorization rules that are then processed by the application to create a persistent backdoor by granting themselves admin roles, modifying access controls, or disabling security checks. SimpleWriter_, for its part, writes threat actor-controlled content to disk and executes the dropped binary with hidden windows.

It's not exactly clear how users are tricked into downloading these packages, as the attack chain kicks in only after all four of them are installed.

"The campaign's objective is not to compromise the developer's machine d

Source: The Hacker News