Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers
27.3.24 BigBrothers The Hacker News
Threat hunters have identified a suspicious package in the NuGet package manager that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing.
The package in question is SqzrFramework480, which ReversingLabs said was first published on January 24, 2024. It has been downloaded 2,999 times as of writing.
The software supply chain security firm said it did not find any other package that exhibited similar behavior.
It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms.
The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company's logo for the package's icon. It was uploaded by a Nuget user account called "zhaoyushun1999."
Present within the library is a DLL file "SqzrFramework480.dll" that comes with features to take screenshots, ping a remote IP address after every 30 seconds until the operation is successful, and transmit the screenshots over a socket created and connected to said IP address.
"None of those behaviors are resolutely malicious. However, when taken together, they raise alarms," security researcher Petar Kirhmajer said. "The ping serves as a heartbeat check to see if the exfiltration server is alive."
The malicious use of sockets for data communication and exfiltration has been observed in the wild previously, as in the case of the npm package nodejs_net_server.
The exact motive behind the package is unclear as yet, although it's a known fact that adversaries are steadily resorting to concealing nefarious code in seemingly benign software to compromise victims.
An alternate, innocuous explanation could be that the package was leaked by a developer or a third party that works with the company.
"They may also explain seemingly malicious continuous screen capture behavior: it could simply be a way for a developer to stream images from the camera on the main monitor to a worker station," Kirhmajer said.
The ambiguity surrounding the package aside, the findings underscore the complicated nature of supply chain threats, making it imperative that users scrutinize libraries prior to downloading them.
"Open-source repositories like NuGet are increasingly hosting suspicious and malicious packages designed to attract developers and trick them into downloading and incorporating malicious libraries and other modules into their development pipelines," Kirhmajer said.