SeroXen RAT distributed via malicious NuGet package

Threat actors have targeted .NET developers with a malicious NuGet package typosquatting the Pathoschild.Stardew.ModBuildConfig deploying the SeroXen RAT, The Hacker News reports. Attacks commence with a PowerShell script downloading a Windows Batch script, which would then execute code that would eventually prompt distribution of SeroXen RAT, a fileless trojan featuring Quasar RAT, r77 rootkit, and NirCmd command-line tool capabilities, according to a Phylum report. "The discovery of SeroXen RAT in NuGet packages only underscores how attackers continue to exploit open-source ecosystems and the developers that use them," said Phylum. Another Phylum report showed that Amazon Web Services, Tencent Cloud, Aliyun, and other cloud services have been impersonated by seven malicious PyPi packages. Such a campaign was also reported by Checkmarx, which discovered that the U.S., China, Singapore, Hong Kong, and Russia accounted for most of the malicious package downloads. "Rather than performing automatic execution, the malicious code within these packages was strategically hidden within functions, designed to trigger only when these functions were called. The attackers leveraged Typosquatting and StarJacking techniques to lure developers to their malicious packages," Checkmarx added.