Full Report
Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data. The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.
Analysis Summary
# Tool/Technique: Malicious NuGet Packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_)
## Overview
A set of four malicious NuGet packages discovered targeting ASP.NET web application developers. The primary goal is supply chain compromise, specifically compromising the developer environment to inject backdoors and steal sensitive identity data from the resulting deployed applications.
## Technical Details
- Type: Malware Families / Droppers / Backdoors (Deployed via malicious dependencies)
- Platform: .NET/ASP.NET applications (Targeting the build/development environment)
- Capabilities: JIT hooking, local proxy establishment, data exfiltration (ASP.NET Identity data), modification of application authorization rules, persistent backdoor creation, hidden process execution, and file writing.
- First Seen: Packages published between August 12 and 21, 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access (Via supply chain compromise)
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply Chain: Compromise Software Supply chain data (user accounts, role assignments, permission mappings) and manipulating authorization rules to create persistent application backdoors.
- T1566 - Phishing/Malware Distribution
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- (Indirectly, as users download packages they trust)
- TA0005 - Defense Evasion / TA0003 - Persistence
- T1542 - Use Alternate Authentication Material (Implied via backdoor rule modification)
- T1070.004 - File Deletion (NCryptYo relays traffic, potentially cleaning up indicators)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Data relayed through local proxy to external C2)
## Functionality
### Core Capabilities
1. **Initial Payload Delivery (NCryptYo):** Acts as a first-stage dropper loaded upon assembly execution.
2. **JIT Hooking:** Uses Just-In-Time (JIT) compiler hooks to decrypt embedded stage-2 payloads in memory.
3. **Local Proxy Setup:** Deploys a stage-2 binary establishing a local proxy (e.g., on `localhost:7152`) to relay traffic securely (or covertly) to the attacker's C2 infrastructure (C2 address resolved dynamically).
4. **Identity Data Theft (DOMOAuth2_, IRAOAuth2.0):** Steals sensitive ASP.NET Identity information: user accounts, role assignments, and permission mappings.
### Advanced Features
1. **Authorization Rule Manipulation:** The C2 server sends back modified authorization rules which the compromised application processes, effectively granting the attacker administrative roles, modifying existing access controls, or disabling security checks in the deployed application codebase/configuration.
2. **Persistence via Application Logic:** Backdoors are established directly within the application's authorization layer, ensuring persistence even after the developer environment might be cleaned, as long as the vulnerable application version is deployed.
3. **Covert File Execution (SimpleWriter_):** Features unconditional file writing capabilities and executes dropped binaries with hidden windows, suggesting secondary payload deployment capability.
4. **Masquerading:** `NCryptYo` attempts to impersonate the legitimate `NCrypto` package.
## Indicators of Compromise
- File Hashes: N/A (Specifics not provided in the text)
- File Names: NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_ (Package names)
- Registry Keys: N/A
- Network Indicators: C2 traffic relayed through `localhost:7152` pointing to dynamically resolved attacker-controlled infrastructure (Defanged example: `example-c2[.]com`).
- Behavioral Indicators: Installation and execution upon loading NuGet package assemblies; dynamic decryption/payload staging; creation/manipulation of application authorization configuration upon receiving instructions from the C2.
## Associated Threat Actors
- Single, coordinated threat actor operating under the NuGet profile "hamzazaheer." (No established threat group name provided).
## Detection Methods
- Signature-based detection: Detecting known package assembly hashes or the specific package names/versions in dependency lists.
- Behavioral detection: Monitoring for processes attempting to use JIT hooking techniques or attempting to install and configure local listeners/proxies on standard or custom ports (`localhost:7152`). Monitoring applications attempting to dynamically modify their authorization configuration during runtime initialization.
- YARA rules if available: N/A (Specific rules not detailed).
## Mitigation Strategies
- Prevention measures: Stricter validation and vetting of all third-party dependencies, even from trusted repositories like NuGet. Limiting infrastructure access granted to build and development processes.
- Hardening recommendations: Implementing stricter Content Security Policies (CSP) and security configurations within ASP.NET applications to restrict access control modifications at runtime. Performing dependency scanning during CI/CD pipelines against known malicious packages. Ensuring that application configuration changes are only applied via secure, trusted deployment channels, not from runtime payloads.
## Related Tools/Techniques
- Malicious npm package `ambar-src` (mentioned as part of a wider trend, utilizing preinstall scripts for cross-platform malware delivery: Windows shellcode, Linux reverse shell).
- Supply chain attacks targeting open-source repositories (e.g., typosquatting, dependency confusion).