A recent malicious NuGet typosquatting campaign has raised concerns in the cybersecurity community as it exploits Visual Studio’s MSBuild integration to discreetly execute code and deliver malware.
Furthermore, NuGet, an open-source package manager, is widely used by developers to download and integrate .NET libraries into their projects. Threat actors, who have been increasingly targeting software distribution systems like npm and PyPI, are now showing a keen interest in NuGet, particularly because of its popularity among Windows users.
Additionally, the campaign, identified by ReversingLabs on October 15, 2023, employs typosquatting techniques to distribute malware. Instead of the conventional approach of including downloaders in install scripts, these malicious packages leverage NuGet’s MSBuild integration. This integration, introduced in NuGet v2.5, aims to support native projects and streamline the build and testing processes, but it also provides a means for executing code upon package installation. Malicious code is concealed within the <packageID>.targets file in the “build” directory, executing PowerShell scripts to fetch and run an external executable.
This marks the first known case of threat actors exploiting the MSBuild feature in malicious NuGet packages, underscoring the evolving sophistication of their tactics. The campaign, which began in August 2023, has continually refined its methods, notably shifting to MSBuild abuse in mid-October. Earlier iterations utilized PowerShell scripts to fetch malware payloads from GitHub repositories. The presence of strong links to a campaign reported by Phylum earlier in the month, which used typosquatting to mimic cryptocurrency projects and deliver SeroXen RAT, highlights the threat actors’ persistence and intent to continue their malicious activities.
