Contemporary Supply Chain Assaults from NuGet to Lazarus - VMRay

From NuGet to Lazarus:  
A Comprehensive Look at Supply Chain Attacks

Q4 – 2023

Uncover supply chain assaults from NuGet to Lazarus: stealthy attacks, cryptocurrency heists, and state-sponsored breaches.

Table of Contents

In this chapter, we delve into the intricate landscape of supply chain attacks, a formidable threat vector that continues to evolve in sophistication and impact. As digital ecosystems intertwine, attackers adeptly exploit vulnerabilities in the software supply chain, jeopardizing the integrity and security of widely used applications. 

From stealthy exploits in popular package managers to deceptive trojanized installers and state-sponsored breaches, the diverse tactics employed underscore the critical importance of robust security measures in the software development lifecycle.

NuGet Typosquatting: Unmasking a Stealthy Supply Chain Threat

A new supply-chain attack campaign was discovered targeting the NuGet package manager via typosquatting, widely used in .NET projects. The attackers deployed malicious packages that exploit Visual Studio’s MSBuild integration for stealthy code execution and malware installation.

These packages used typosquatting to mimic legitimate libraries, exploiting MSBuild’s features to run scripts automatically during package installation. This campaign represents a significant threat due to its stealth and the widespread use of NuGet in software development.

Cryptocurrency Wallet Impersonation: The NuGet Supply-Chain Deception

Another supply-chain attack targeting developers using the NuGet package manager was identified, involving malicious packages impersonating popular cryptocurrency wallets and exchanges.

These packages contained XML files that download and execute an obfuscated batch file, leading to the installation of the SeroXen malware. The trojan, marketed as a legitimate program, is known for its low detection rates and robust capabilities, making this attack particularly deceptive and dangerous.

Lazarus Group’s Intrusion: CyberLink Breach and Supply Chain Subversion

The Lazarus hacking group, linked to North Korea, breached Taiwanese multimedia software company CyberLink and abused their access for a supply chain attack. They trojanized a CyberLink installer, hosted on the company’s legitimate update infrastructure, to distribute malware globally.

This incident demonstrates the group’s sophisticated methods, including the use of a legitimate code signing certificate to sign the malicious executable and targeting systems without specific security software. The malware, tracked as LambLoad, selectively executes payloads and establishes persistent access, underscoring the serious threat posed by state-sponsored actors in cyber espionage.

Ledger dApp Connect Kit: A Cryptocurrency Heist through Supply Chain Tactics

In a sophisticated supply chain attack, hackers targeted the Ledger dApp Connect Kit library, injecting malicious code that led to the theft of $600,000 in cryptocurrencies and NFTs from wallets connected to compromised decentralized applications (dApps).

This attack showcases the increasing trend of targeting cryptocurrency assets through software supply chains, highlighting the need for enhanced security measures in the development and maintenance of blockchain-related applications.

Home: 
VMRay Malware & Phishing Threat Landscape – Q4/2023

Next Chapter: 
Developments in zero-day vulnerabilities

See VMRay in action.
Secure your organization against the emerging and evolving threats.

Further resources

WEBINAR

Key forces shaping the future of security automation

Watch the full recording from the our webinar featuring Forrester

INTEGRATIONS

Explore VMRay’s seamless integrations

Explore all security automation use cases that help you can benefit.

SOLUTION BRIEF

VMRay Professional Services

Learn how VMRay supports deployment, configurations, integrations & more.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator