After Phylum’s report the attackers pivoted once more and shifted to a different NuGet code execution method that had been recognized for some time however hadn’t been seen within the wild: MSBuild inline duties. This system was demonstrated in 2019 by a developer named C. Augusto Proiete who created a proof-of-concept NuGet bundle referred to as IAmRoot.
In actual fact, Proiete created his bundle after Microsoft determined to drop assist for the set up.ps1 and uninstall.ps1 PowerShell scripts in NuGet model 3 with out offering another. NuGet 2.5 added higher integration with MSBuild to assist configuration choices that don’t exist natively in NuGet.
“To handle NuGet’s configuration limitations, we’re relying closely on MSBuild properties and targets for native packages,” the NuGet builders stated on the time. “These MSBuild properties and targets do the heavy lifting of offering references at construct time, based mostly in your venture’s configuration. To make MSBuild integration higher, NuGet has created a brand new conference for robotically importing MSBuild properties and targets from a NuGet bundle. Alongside the present content material, lib, and instruments folders, NuGet now acknowledges a brand new top-level folder: construct. Throughout the construct folder, you’ll be able to present a ‘.props’ file and/or a ‘.targets’ file that shall be robotically imported into the venture.”
The problem is that MSBuild helps a function referred to as inline duties that permits the construct configuration recordsdata to create duties that may execute code outlined by way of code components or situated someplace contained in the venture, resulting in arbitrary code execution.
The IAmRoot reboot
Researchers from ReversingLabs discovered three packages that abused the construct .targets file and have been uploaded to NuGet Gallery on October 15. The packages have been referred to as ZendeskApi.Consumer.V2, Betalgo.Open.AI, and Forge.Open.AI, and all have been clearly tied to the continued marketing campaign that started in August.
“The code encapsulated contained in the <Code> property of this XML file is nearly an identical to the performance current within the PowerShell scripts from the sooner two variations of the bundle,” the researchers stated. “When run, it downloads an executable from a distant location and executes it in a brand new course of.”