Threat Research

Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration

SocketDev
Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration

Socket’s Threat Research Team discovered a coordinated NuGet supply chain attack where four malicious packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_) deploy a multi-stage payload that establishes a localhost proxy and exfiltrates ASP.NET Identity data. The packages, published Aug 12–21, 2024 by author hamzazaheer, use typosquatting, heavy .NET obfuscation, JIT compiler hooks and embedded credentials to create persistent backdoors and remote permission injection in victim applications. #NCryptYo #hamzazaheer

Keypoints

  • Four malicious NuGet packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_) were published Aug 12–21, 2024 by author hamzazaheer and have accumulated ~4,500 downloads; takedown requests have been submitted to NuGet security.
  • NCryptYo is a stage-1 obfuscated dropper that hooks the .NET JIT, decrypts an embedded 126 KB stage-2 binary, writes/injects binaries, and establishes a local proxy on localhost:7152 to relay traffic to the attacker C2.
  • DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity authorization data (user IDs, role IDs, role-to-user mappings, module permissions) and accept attacker-controlled permission responses that can grant admin access at runtime.
  • SimpleWriter_ unconditionally writes attacker-controlled files to disk and executes local binaries with hidden windows (expects wkhtmltopdf.exe placed by the dropper), allowing file drop and stealthy execution even if C2 is unreachable.
  • Strong campaign linkage: three packages share an identical 400+ character compressed auth token, identical build environments and PDB path artifacts, and repeated placeholder metadata indicating common authorship.
  • The operation uses multiple obfuscation/anti-analysis layers (Eziriz .NET Reactor, IL virtualization, JIT-level decryption, RSA tamper checks, anti-debugging) plus side-loading and process injection vectors to evade detection.
  • Recommended mitigations include auditing dependencies for typosquats, inspecting static constructors, enabling NuGet signature/lock features, CI/CD scanning, and monitoring for unusual localhost ports and obfuscation indicators.

MITRE Techniques

  • [T1195.002 ] Supply Chain Compromise – Malicious NuGet packages were published to compromise software dependencies (‘NuGet supply chain attack involving four malicious packages’)
  • [T1027 ] Obfuscated Files or Information – The campaign uses .NET Reactor, IL virtualization, encrypted resources and custom VM bytecode to hide malicious logic (‘protected with an unregistered version of Eziriz’s .NET Reactor obfuscator’)
  • [T1055 ] Process Injection – The stage-2 payload uses VirtualAlloc, WriteProcessMemory and OpenProcess to perform process injection and remote code execution (‘VirtualAlloc + WriteProcessMemory + OpenProcess for process injection’)
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – The DLL exports an entry point allowing execution via rundll32.exe and side-loading beyond NuGet installation (‘can execute standalone via rundll32.exe NCrypt.dll,#1’)
  • [T1562.001 ] Impair Defenses – Anti-analysis and anti-debugging checks, RSA signature tamper detection, and a time-bombed obfuscator are used to thwart dynamic analysis (‘checks Debugger.IsAttached and throws “Debugger Detected”‘)
  • [T1140 ] Deobfuscate/Decode Files or Information – JIT-level decryption and runtime decoding are used to decrypt embedded method bodies and payloads only at execution time (‘decrypt embedded payloads and deploy a stage-2 binary’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The companion packages communicate with a local HTTP proxy on localhost:7152 which relays to the external C2 (‘target https://localhost:7152/api/auth/’)
  • [T1572 ] Protocol Tunneling – A local proxy tunnels application-layer traffic to an external C2 whose address is resolved dynamically at runtime (‘establishes a local proxy on localhost:7152 that relays traffic between the companion packages and the attacker’s external C2 server’)
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Typosquatting and naming mimicry (package name, DLL filename, namespace) imitate legitimate NCrypto and Windows crypto APIs (‘deliberate typosquatting of the legitimate NCrypto package’ and ‘DLL filename NCrypt.dll mimics Windows’ CNG cryptography provider’)

Indicators of Compromise

  • [Package Names ] NuGet packages used in the supply chain attack – NCryptYo, DOMOAuth2_, and 2 more packages (IRAOAuth2.0, SimpleWriter_)
  • [SHA256 Hashes ] File hashes for malicious binaries – 7c1a9a681411c528ee2bd291450d955f9d599a03cf34a530d9c526451c63c0aa (NCryptYo/NCrypt.dll), c2ac85bcbf38c6a4e1b4ba971742f126eb0deaf486b7bd396858d98a3773de73 (SimpleWriter_.dll), and 2 more hashes
  • [Hardcoded Credential ] Embedded authentication token used to authenticate to C2 – ‘9ujkh@(ik#@!mpoid-0ePpasj@onbxwWmi@lllmcoPiKe:Wc_/pz[cb&#[KW6Dk_-mf&j!fKU.W/*n6/rLLXYPm%D6u’ (400+ char token encoded with custom Base64 substitutions)
  • [Localhost Endpoints ] Local proxy and API endpoints used for exfiltration and control – https://localhost:7152/api/auth/ (proxy), endpoints like /get-permissions and /update-role-permissions
  • [File Names ] DLL and binary names associated with the campaign – NCrypt.dll, OAuth2.0.dll, and SimpleWriter.dll (examples of deployed artifacts)
  • [Author / Publisher ] Threat actor identifier on NuGet – hamzazaheer (publisher name used for the packages)
  • [PDB Paths ] Build artifacts revealing source locations and shared build environment – E:ProjectsA-MarkAuthorizationOAuth2.0 and E:ProjectsArhamSoft-Projectsideal-broccoliSimpleWriter

Read more: https://socket.dev/blog/four-malicious-nuget-packages-target-asp-net-developers-with-jit-hooking-and-credential