Hello and welcome to the Friday, October 13th, 2020,

edition of the Sancent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I've already mentioned that on Saturday I'll be speaking here at B-Sides in Jacksonville,

and of course the talk will be about attacks against developers.

So thanks Philem for coming up with a new blog post today with yet another attack that I probably can include in my talk now.

The attack in this case targets.net developers by adding malicious packets to the Nuget Gallery.

Nuget is the packet manager of 4.net and the packages here appear to impersonate some

crypto coin related packages like for example Solana wallet or Krakhan Exchange.

Sadly, these packages all from the same developer called Disti had about 2 million downloads.

Now, in case someone fell for these packages, you will end up with the Cerro Sen rat.

This particular remote access tool is actually sold more or less somewhat commercially for $60,

or you can also get a subscription for $15 a month.

Why would anybody install these packages?

Well, they try to impersonate some legitimate packages,

so essentially it's just typosquoting they're doing here.

The actual matter is then being installed by an install script that will

download the malicious remote access tool via a number of sort of obfuscated PowerShell scripts.

Now it took a while, but earlier on Thursday, Microsoft did remove the malicious packages from Nuget.

Also, the malware installed by these packages has a pretty good antivirus coverage, according to a virus total.

And sometimes it's almost sad to see how old, old Malware is still around and still learning new tricks.

Latest example here comes courtesy of ASEC, who observed a new variant of Shellbot.

...