Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.
The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.
The names of the packages are listed below –
- NCryptYo
- DOMOAuth2_
- IRAOAuth2.0
- SimpleWriter_
The NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been taken down from the repository following responsible disclosure, but not before attracting more than 4,500 downloads.
According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It’s worth noting that NCryptYo attempts to masquerade as the legitimate NCrypto package.
DOMOAuth2_ and IRAOAuth2.0 steal Identity data and backdoor apps, while SimpleWriter_ features unconditional file writing and hidden process execution capabilities while presenting itself as a PDF conversion utility. An analysis of package metadata has revealed identical build environments, indicating that the campaign is the work of a single threat actor.
“NCryptYo is a stage-1 execution-on-load dropper,” security researcher Kush Pandya said. “When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary – a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker’s external C2 server, whose address is resolved dynamically at runtime.”
Once the proxy is active, DOMOAuth2_ and IRAOAuth2.0 begin transmitting the ASP.NET Identity data through the local proxy to the external infrastructure. The C2 server responds with authorization rules that are then processed by the application to create a persistent backdoor by granting themselves admin roles, modifying access controls, or disabling security checks. SimpleWriter_, for its part, writes threat actor-controlled content to disk and executes the dropped binary with hidden windows.
It’s not exactly clear how users are tricked into downloading these packages, as the attack chain kicks in only after all four of them are installed.
“The campaign’s objective is not to compromise the developer’s machine directly, but to compromise the applications they build,” Pandya explained. “By controlling the authorization layer during development, the threat actor gains access to deployed production applications.”
“When the victim deploys their ASP.NET application with the malicious dependencies, the C2 infrastructure remains active in production,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
