An apparently harmless piece of software has been found to be concealing a destructive slice of malware, and it’s been waiting years to be unleashed.
Security researchers have discovered that a set of software packages designed for developers, namely for the Sharp7 library and other .NET extensions, contained malware which has been patiently waiting for two years to activate. These software packages had been uploaded to a trusted software repository and downloaded close to 10,000 times. The developers, of course, thought they were installing legitimate tools. But the truth is that these were ticking time bombs which could affect countless organizations.
What Are .NET Extensions?
Before we dive into the mechanics of this attack, it’s important that you understand what .NET extensions are.
.NET extensions are small packages of code which expand what software built with Microsoft’s .NET framework can do. And what’s the .NET framework? Well, it’s Microsoft’s software platform which was created to allow developers to build and run Windows applications using shared tools and libraries. Essentially, .NET extensions are similar to plugins, enhancing the functionality of existing software by way of additional snippets of code.
How the Attack Played Out
Researchers at security firm Socket found nine malicious packages which had been uploaded between 2023 and 2024 by a user called shanhai666 on NuGet, an online package manager for the .NET framework. Each package appeared legitimate, with around 99% of the code being harmless – a scenario which made exposing the malware very difficult during reviews and automated malware scans.
Many of the packages focused their attention on database tools such as SQL Server, PostgreSQL, and SQLite. However, rather than aiming to detonate their payload at the first available opportunity, these malicious packages were pre-programmed to trigger several years later in 2027 or 2028. This allowed the attacker to ensure their malware had spread widely before they unleashed digital chaos.
The most dangerous example, Sharp7Extend, was activated earlier than many of the other packages. And it caused significant disruption. Attacking Siemens S7 industrial controllers, Sharp7Extend launched its attack shortly after installation and set about crashing processes and corrupting data. For Siemens, this meant an increased risk of disruption to factory machinery, disabled safety systems and, in a worst case scenario, production lines grinding to a halt.
The attacker was clever in the way they orchestrated their campaign. By publishing virtually identical copies of trusted packages, they were able to stealthily inject a few malicious among all the genuine ones. Without a deep and forensic inspection, this meant detecting the malware was nearly impossible. Socket has warned developers and organizations that any systems using these tools may already be compromised and are certainly at future risk. Early signs to look for are unusual slowdowns, communication issues, and random software crashes.
Three Smart Tips to Keep You Safe
The worst threats are always the most well-hidden threats, and the attack by shanhai666 is particularly stealthy. Therefore, it’s crucial that you protect your systems. So, how do you do this? Luckily, Ophtek is on hand to help you with three smart tips:
- Audit Your Installs: It’s important that you know exactly what’s installed on your systems and where they have come from. As part of your IT vulnerability assessment, you should keep logs which contain details of your .NET extensions such as: date of install, version history, and details of the publisher along with verification of that publisher’s legitimacy.
- Always Install Updates: Make sure that you regularly update both your PC and any software you use. This not only keeps your software functional, but it minimizes the risk of vulnerabilities being exploited by malware.
- Only Install Trusted Tools: To minimize exposure to malicious tools, developers and PC users should stick to installing tools from trusted publishers. Open repositories are fantastic in theory, but they also enable threat actors to abuse these public platforms to spread malicious code.
For more ways to secure and optimize your business technology, contact your local IT professionals.
