Malicious NuGet Packages Target ASP.NET Developers to Steal Credentials
A sophisticated supply chain attack has emerged, specifically targeting ASP.NET developers through the NuGet package ecosystem. This campaign involves four malicious packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—designed to steal login credentials and implant persistent backdoors within web applications.
Deceptive Tactics and Package Details
The threat actor, operating under the username hamzazaheer, published these packages between August 12 and 21, 2024. Collectively, they have been downloaded over 4,500 times, indicating a significant reach within the developer community.
– NCryptYo: This package masquerades as a cryptography library by typosquatting the legitimate NCrypto package. Its DLL, named NCrypt.dll, mimics Windows’ native CNG cryptography provider, and its namespace mirrors Microsoft’s cryptography APIs. Upon assembly load, it triggers a static constructor that silently deploys a hidden proxy on localhost port 7152, relaying traffic to an attacker-controlled server.
– DOMOAuth2_ and IRAOAuth2.0: These packages collect ASP.NET Identity data, including user account IDs, role assignments, and permission mappings. The harvested information is transmitted to the attacker’s server via the local proxy established by NCryptYo.
– SimpleWriter_: Posing as a PDF conversion tool, this package writes attacker-controlled files to disk and executes hidden processes without visible windows. Its primary objective is to compromise production applications deployed to end-users.
Technical Analysis and Obfuscation Techniques
Security researchers from Socket.dev identified the full scope of this campaign by tracing shared infrastructure across all four packages. Notably, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ contain identical hardcoded authentication tokens encoded using GZip compression and custom Base64 substitutions, confirming a common origin.
NCryptYo employs Just-In-Time (JIT) compiler hijacking to conceal its malicious behavior. By replacing the standard JIT compilation process with its own hook, the package ensures that malicious code decrypts only at execution time, evading static analysis. The DLL is further protected by .NET Reactor obfuscation, featuring a 14-day expiry timer and anti-debugging mechanisms. Embedded within are five encrypted resources, the largest being a 126 KB payload responsible for establishing the hidden proxy tunnel to the attacker’s server.
Detection Challenges and Recommendations
The obfuscation techniques employed render these malicious packages difficult to detect. For instance, VirusTotal analysis revealed that only 1 out of 72 security vendors flagged NCrypt.dll, highlighting the effectiveness of the evasion strategies.
To mitigate such threats, developers are advised to:
– Verify Package Authenticity: Scrutinize package names, author identities, and download histories before installation.
– Monitor Network Traffic: Be vigilant for unusual localhost port activity, such as traffic on port 7152.
– Implement Automated Scanning: Integrate automated CI/CD pipeline scanning to detect obfuscation markers, static constructor abuse, and embedded encrypted payloads before incorporating any package into production builds.
By adopting these practices, developers can enhance their security posture and protect their applications from sophisticated supply chain attacks.
