Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Suspicious NuGet Package Harvesting Information From Industrial Systems

A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon.

A suspicious NuGet package designed to harvest data from industrial systems appears to be targeting developers who use technology from Chinese company Bozhon, ReversingLabs reports.

Named SqzrFramework480 and published on the NuGet repository in January 2024, the package is a .NET library responsible for calibrating robotic movement settings, managing and creating GUIs, initializing and configuring machine vision libraries, and more.

However, it can also harvest various types of information from different types of industrial systems, including cameras and robotic arms, can take screenshots, send ping packets, and open sockets for data transfer.

“None of those behaviors are resolutely malicious. However, when taken together, they raise alarms. For example, we can assume that the screenshots that are being taken are sent to the remote server via the open socket. The ping serves as a heartbeat check to see if the exfiltration server is alive,” ReversingLabs notes.

The function that takes screenshots, which is not explicitly declared in the code, operates in a continuous loop if successful, capturing the primary screen every minute and sending the information to a remote IP address, via the opened socket.

According to the security firm, however, it is unclear how the function that initializes the entire operation is executed, with one explanation being that “SqzrFramework480.dll has been written as a help library” and the function needs to be explicitly called by the developer using it.

The package appears linked to Bozhon Precision Industry Technology Co., Ltd., an industrial and digital equipment manufacturer based in China. ReversingLabs’ attempts to communicate with the company regarding the package have remained unsuccessful.

While it does believe that the package could be malicious, ReversingLabs does not have a clear explanation to why it was published to NuGet and its actual purpose.

Advertisement. Scroll to continue reading.

On the one hand, it appears to target developers using Bohzon tools, to exfiltrate from the infected system data such as credentials, configuration settings, and proprietary data, by means of screenshots, possibly as part of a supply chain campaign tailored for industrial espionage.

On the other hand, the package might have been published to NuGet by a developer or an independent contractor working for Bohzon, with the data harvesting function being designed for administrative or technical purposes.

Despite its concerns, ReversingLabs says it has not reported SqzrFramework480 to NuGet. The package has been downloaded over 2,400 times since January and remains available for download, but no other packages that could be linked to the campaign have been discovered.

Related: Malicious NuGet Packages Abuse MSBuild Integrations for Code Execution

Related: Malicious NuGet Packages Used to Target .NET Developers

Related: ‘BlazeStealer’ Malware Delivered to Python Developers Looking for Obfuscation Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.