After Phylum’s report the attackers pivoted once more and shifted to a different NuGet code execution method that had been recognized for some time however hadn’t been seen within the wild: MSBuild inline duties. This system was demonstrated in 2019 by a developer named C. Augusto Proiete who created a proof-of-concept NuGet package deal known as IAmRoot.
In actual fact, Proiete created his package deal after Microsoft determined to drop assist for the set up.ps1 and uninstall.ps1 PowerShell scripts in NuGet model 3 with out offering an alternate. NuGet 2.5 added higher integration with MSBuild to assist configuration choices that don’t exist natively in NuGet.
“To handle NuGet’s configuration limitations, we’re relying closely on MSBuild properties and targets for native packages,” the NuGet builders mentioned on the time. “These MSBuild properties and targets do the heavy lifting of offering references at construct time, based mostly in your venture’s configuration. To make MSBuild integration higher, NuGet has created a brand new conference for routinely importing MSBuild properties and targets from a NuGet package deal. Alongside the present content material, lib, and instruments folders, NuGet now acknowledges a brand new top-level folder: construct. Inside the construct folder, you’ll be able to present a ‘.props’ file and/or a ‘.targets’ file that will probably be routinely imported into the venture.”
The problem is that MSBuild helps a characteristic known as inline duties that enables the construct configuration recordsdata to create duties that may execute code outlined by means of code parts or positioned someplace contained in the venture, resulting in arbitrary code execution.
The IAmRoot reboot
Researchers from ReversingLabs discovered three packages that abused the construct .targets file and have been uploaded to NuGet Gallery on October 15. The packages have been known as ZendeskApi.Consumer.V2, Betalgo.Open.AI, and Forge.Open.AI, and all have been clearly tied to the continuing marketing campaign that started in August.
“The code encapsulated contained in the <Code> property of this XML file is nearly an identical to the performance current within the PowerShell scripts from the sooner two variations of the package deal,” the researchers mentioned. “When run, it downloads an executable from a distant location and executes it in a brand new course of.”
