Dubious NuGet Package May Portend Chinese Industrial Espionage

————————————————–

Summary:

The article discusses the potential risks associated with the SqzrFramework480 .NET DLL, which is suspected of containing industrial espionage malware, highlighting the importance of cautious evaluation and auditing of open source packages.

Key Points:

๐Ÿ” SqzrFramework480 is a .NET DLL associated with Bozhon Precision Industry Technology Co., with functions related to GUI management, machine vision, and robotic movement settings.
๐Ÿ“ฅ The package was uploaded to the NuGet repository on Jan. 24 and has already garnered 3,000 downloads.
๐Ÿšจ Researchers flagged SqzrFramework480 as suspicious due to a method that captures screenshots, opens a socket, and exfiltrates data to a hidden IP address.
๐Ÿ”’ The “Init” method of SqzrFramework480 pings a remote IP address, captures a screenshot, and sends it through a socket, raising concerns about its true purpose.
๐Ÿ•ต๏ธโ€โ™‚๏ธ The package’s nondescript labels and the obscured IP address add to the suspicion surrounding its intentions.
๐Ÿ› ๏ธ The author suggests not blindly trusting packages and recommends manual auditing or using tools for automatic scanning.

————————————————–

Researchers have identified a popular open source package that may be hiding industrial espionage malware.

“SqzrFramework480” is a .NET dynamic link library (DLL) that seems to pertain to Bozhon Precision Industry Technology Co., a Chinese manufacturer of consumer electronics and various industrial technologies. The file’s stated functions include managing and creating graphical user interfaces (GUIs), initializing and configuring machine vision libraries, adjusting robotic movement settings, and more. It was uploaded to the NuGet open source repository on Jan. 24 and already has 3,000 downloads, as of this writing.

It may, in the end, be no more than what it says it is. But researchers from ReversingLabs flagged SqzrFramework480 as suspicious in a new report, thanks to a method buried inside that appears to do rather malicious things: capturing screenshots, opening a socket, and exfiltrating data to a concealed IP address.

Is SqzrFramework480 an OT Backdoor?

Software developed by Chinese companies has been used in malicious supply chain attacks before, and cyber threats to industrial systems are not new there.

Is SqzrFramework480 a continuation of these trends? The answer lies in its method, “Init.”

Init’s job begins by pinging a remote IP address. This IP address is stored as a byte array, where each byte is an ASCII-encoded character.

If the ping isn’t successful, the program goes to sleep and tries again 30 seconds later. If it does succeed, it opens up a socket and connects to that IP address. Then it takes a screenshot of the monitor it’s installed on, packages it into a byte array, and sends it through the socket.

On one hand, the researchers posited, this could simply be a mechanism for streaming images from a Bozhon camera to a workstation. But certain contextual evidence muddies that theory.

For one thing, the names and classes within SqzrFramework480 tend to have rather nondescript labels; nowhere, for example, could one infer that it captures screenshots. And why is the IP address it pings concealed as a byte? “That’s a kind of suspicious, or uncommon, practice,” notes Petar Kirhmajer, the report’s author. “Why wouldn’t you just include the IP [in plaintext]?”

Besides the lengths gone to obscure Init, there’s also the fact that the package was listed by a nondescript NuGet account whose only prior listing was “SqzrFramework480.Faker,” an obscured version of SqzrFramework480.

In lieu of any smoking gun, SqzrFramework480 remains live and available for download.

“My suggestion would be to not trust every package blindly,” Kirhmajer says. “If you can, you should audit them yourself [manually]. And if you don’t have the resources to do it yourself, you should use tools to automatically scan those packages.”

Source: https://www.darkreading.com/ics-ot-security/dubious-nuget-package-chinese-industrial-espionage


“An interesting youtube video that may be related to the article above”