Threat trackers have discovered a suspicious kit in the NuGet Kit Manager that may be designed to target developers using tools made by Chinese companies specializing in industrial and digital device manufacturing.
The bag in question is Sqzr Framework 480, ReversingLabs stated that this article was first published on January 24, 2024. As of this writing, the article has been downloaded 2,999 times.
The software supply chain security company said it is not aware of any other software packages exhibiting similar behavior.
However, it speculates that the campaign is likely to be used to orchestrate industrial espionage on systems equipped with cameras, machine vision and robotic arms.
SqzrFramework480 appears to be connected to a Chinese company called Bozhong Precision Industrial Technology Co., Ltd. This indication comes from the use of a version of the company’s logo in the packaging icon. It was uploaded by a Nuget user account named “zhaoyushun1999”.
There is a DLL file “SqzrFramework480.dll” in the library. This file has the function of taking screenshots and pinging the remote IP address every 30 seconds until the operation is successful. Transfer screenshots.
“None of these actions are absolutely malicious. However, when combined, they raise alarms,” said security researcher Petar Kirhmajer. “The ping acts as a heartbeat check to see if the penetration server is active.”
Malicious use of sockets for data communication and exfiltration has previously been observed in the wild, such as in the case of the npm package nodejs_net_server.
The exact motivation behind this package is unclear, but it is known that adversaries are constantly harming victims by hiding malicious code in seemingly benign software.
Another harmless explanation could be that the package was leaked by a developer or a third party working with the company.
“They may also explain the seemingly malicious continuous screen capture behavior: it may just be a way for developers to transfer camera footage from the main monitor to a workstation,” Kirhmajer said.
In addition to the ambiguity surrounding the package, the findings underscore the complexity of the supply chain threat and the need for users to double-check the library before downloading it.
“Open source repositories like NuGet are increasingly hosting suspicious malware packages designed to attract developers and trick them into downloading malicious libraries and other mods and incorporating them into their development pipelines,” Kirhmajer said.
