A suspicious NuGet package designed to harvest data from industrial systems appears to be targeting developers who use technology from Chinese company Bozhon, ReversingLabs reports.
Named SqzrFramework480 and published on the NuGet repository in January 2024, the package is a .NET library responsible for calibrating robotic movement settings, managing and creating GUIs, initializing and configuring machine vision libraries, and more.
However, it can also harvest various types of information from different types of industrial systems, including cameras and robotic arms, can take screenshots, send ping packets, and open sockets for data transfer.
“None of those behaviors are resolutely malicious. However, when taken together, they raise alarms. For example, we can assume that the screenshots that are being taken are sent to the remote server via the open socket. The ping serves as a heartbeat check to see if the exfiltration server is alive,” ReversingLabs notes.
The function that takes screenshots, which is not explicitly declared in the code, operates in a continuous loop if successful, capturing the primary screen every minute and sending the information to a remote IP address, via the opened socket.
According to the security firm, however, it is unclear how the function that initializes the entire operation is executed, with one explanation being that “SqzrFramework480.dll has been written as a help library” and the function needs to be explicitly called by the developer using it.
The package appears linked to Bozhon Precision Industry Technology Co., Ltd., an industrial and digital equipment manufacturer based in China. ReversingLabs’ attempts to communicate with the company regarding the package have remained unsuccessful.
While it does believe that the package could be malicious, ReversingLabs does not have a clear explanation to why it was published to NuGet and its actual purpose.
On the one hand, it appears to target developers using Bohzon tools, to exfiltrate from the infected system data such as credentials, configuration settings, and proprietary data, by means of screenshots, possibly as part of a supply chain campaign tailored for industrial espionage.
On the other hand, the package might have been published to NuGet by a developer or an independent contractor working for Bohzon, with the data harvesting function being designed for administrative or technical purposes.
Despite its concerns, ReversingLabs says it has not reported SqzrFramework480 to NuGet. The package has been downloaded over 2,400 times since January and remains available for download, but no other packages that could be linked to the campaign have been discovered.
Related: Malicious NuGet Packages Abuse MSBuild Integrations for Code Execution
Related: Malicious NuGet Packages Used to Target .NET Developers
Related: ‘BlazeStealer’ Malware Delivered to Python Developers Looking for Obfuscation Tools