An alarming supply chain attack has emerged targeting ASP.NET developers through malicious NuGet packages. These packages are designed to steal login credentials and establish backdoors within web applications.
Four packages, named NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, were uploaded between August 12 and 21, 2024. They were distributed by a threat actor using the alias ‘hamzazaheer’ and have collectively amassed over 4,500 downloads.
Deceptive Tactics in Action
The attack involves sophisticated deception tactics. The NCryptYo package masquerades as a legitimate cryptography library by mimicking the popular NCrypto package. Its file, NCrypt.dll, is crafted to resemble the Windows CNG cryptography provider, even mirroring Microsoft’s cryptography API namespaces.
Upon loading, the package executes a static constructor, deploying a proxy on localhost port 7152 to redirect traffic to an attacker-controlled server. This occurs silently, without any developer invocation.
Shared Infrastructure and Evasion Techniques
Researchers at Socket.dev uncovered the full scope of the campaign by identifying shared infrastructure across the packages. DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ each include an identical hardcoded authentication token, compressed and encoded uniquely, indicating a single operator behind them.
The analysis on VirusTotal revealed that only 1 out of 72 security vendors flagged NCrypt.dll, illustrating the effectiveness of the obfuscation techniques in concealing the malware from conventional detection tools.
Advanced Infection Mechanism
NCryptYo employs a technique known as JIT compiler hijacking to mask its malicious activities from security scanners. This tactic involves replacing the standard .NET runtime method compilation with a custom process, decrypting malicious code only at execution time, thus evading static analysis.
The package is protected by .NET Reactor obfuscation, complete with a 14-day expiry timer and anti-debugging measures. It embeds encrypted resources, including a 126 KB payload that establishes a hidden proxy tunnel to the attacker’s server.
Developers are urged to thoroughly verify package names, authors, and download histories before installing third-party libraries. Monitoring for unexpected traffic on localhost ports is also recommended. Security teams should consider implementing automated CI/CD pipeline scans to detect obfuscation markers and suspicious static constructors, ensuring no malicious package enters production.
Stay informed by following us on Google News, LinkedIn, and X, and consider setting CSN as a preferred news source on Google.
