Dubious NuGet Package May Portend Chinese Industrial Espionage

  /     /     /  
Publicated : 23/11/2024   Category : security


Dubious NuGet Package May Portend Chinese Industrial Espionage


A .NET package available for download right now is either a stealthy industrial systems backdoor or nothing at all.



Researchers have identified a popular open source package that may be hiding industrial espionage malware.
SqzrFramework480 is a .NET dynamic link library (DLL) that seems to pertain to Bozhon Precision Industry Technology Co., a Chinese manufacturer of consumer electronics and various industrial technologies. The files stated functions include managing and creating graphical user interfaces (GUIs), initializing and configuring machine vision libraries, adjusting robotic movement settings, and more. It was uploaded to the NuGet open source repository on Jan. 24 and already has 3,000 downloads, as of this writing.
It may, in the end, be no more than what it says it is. But researchers from
ReversingLabs flagged SqzrFramework480 as suspicious
in a new report, thanks to a method buried inside that appears to do rather malicious things: capturing screenshots, opening a socket, and exfiltrating data to a concealed IP address.
Software developed by Chinese companies has been
used in malicious supply chain attacks
before, and
cyber threats to industrial systems
are not new there.
Is SqzrFramework480 a continuation of these trends? The answer lies in its method, Init.
Inits job begins by pinging a remote IP address. This IP address is stored as a byte array, where each byte is an ASCII-encoded character.
If the ping isnt successful, the program goes to sleep and tries again 30 seconds later. If it does succeed, it opens up a socket and connects to that IP address. Then it takes a screenshot of the monitor its installed on, packages it into a byte array, and sends it through the socket.
On one hand, the researchers posited, this could simply be a mechanism for streaming images from a Bozhon camera to a workstation. But certain contextual evidence muddies that theory.
For one thing, the names and classes within SqzrFramework480 tend to have rather nondescript labels; nowhere, for example, could one infer that it captures screenshots. And why is the IP address it pings concealed as a byte? Thats a kind of suspicious, or uncommon, practice, notes Petar Kirhmajer, the reports author. Why wouldnt you just include the IP [in plaintext]?
Besides the lengths gone to obscure Init, theres also the fact that the package was listed by a nondescript NuGet account whose only prior listing was SqzrFramework480.Faker, an obscured version of SqzrFramework480.
In lieu of any smoking gun, SqzrFramework480 remains live and available for download.
My suggestion would be to not trust every package blindly, Kirhmajer says. If you can, you should audit them yourself [manually]. And if you dont have the resources to do it yourself, you should use tools to automatically scan those packages.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dubious NuGet Package May Portend Chinese Industrial Espionage