"NCryptYo is a stage-1 execution-on-load dropper. When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary - a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker's external C2 server, whose address is resolved dynamically at runtime."
"The campaign exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications."
Cybersecurity researchers discovered a coordinated campaign involving four malicious NuGet packages published between August 12-21, 2024, by user hamzazaheer. NCryptYo functions as a first-stage dropper establishing a localhost proxy on port 7152 that relays traffic to an attacker-controlled C2 server. DOMOAuth2_ and IRAOAuth2.0 steal ASP.NET Identity data including user accounts, roles, and permissions while backdooring applications. SimpleWriter_ provides file writing and hidden process execution capabilities while posing as a PDF converter. The packages accumulated over 4,500 downloads before removal. Identical build environments indicate a single threat actor orchestrated the campaign.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]