Dubious NuGet Package May Portend Chinese Industrial Espionage

Researchers have identified a popular open source package that may be hiding industrial espionage malware.

"SqzrFramework480" is a .NET dynamic link library (DLL) that seems to pertain to Bozhon Precision Industry Technology Co., a Chinese manufacturer of consumer electronics and various industrial technologies. The file's stated functions include managing and creating graphical user interfaces (GUIs), initializing and configuring machine vision libraries, adjusting robotic movement settings, and more. It was uploaded to the NuGet open source repository on Jan. 24 and already has 3,000 downloads, as of this writing.

It may, in the end, be no more than what it says it is. But researchers from ReversingLabs flagged SqzrFramework480 as suspicious in a new report, thanks to a method buried inside that appears to do rather malicious things: capturing screenshots, opening a socket, and exfiltrating data to a concealed IP address.

Is SqzrFramework480 an OT Backdoor?

Software developed by Chinese companies has been used in malicious supply chain attacks before, and cyber threats to industrial systems are not new there.

Is SqzrFramework480 a continuation of these trends? The answer lies in its method, "Init."

Init's job begins by pinging a remote IP address. This IP address is stored as a byte array, where each byte is an ASCII-encoded character.

If the ping isn't successful, the program goes to sleep and tries again 30 seconds later. If it does succeed, it opens up a socket and connects to that IP address. Then it takes a screenshot of the monitor it's installed on, packages it into a byte array, and sends it through the socket.

On one hand, the researchers posited, this could simply be a mechanism for streaming images from a Bozhon camera to a workstation. But certain contextual evidence muddies that theory.

For one thing, the names and classes within SqzrFramework480 tend to have rather nondescript labels; nowhere, for example, could one infer that it captures screenshots. And why is the IP address it pings concealed as a byte? "That's a kind of suspicious, or uncommon, practice," notes Petar Kirhmajer, the report's author. "Why wouldn't you just include the IP [in plaintext]?"

Besides the lengths gone to obscure Init, there's also the fact that the package was listed by a nondescript NuGet account whose only prior listing was "SqzrFramework480.Faker," an obscured version of SqzrFramework480.

In lieu of any smoking gun, SqzrFramework480 remains live and available for download.

"My suggestion would be to not trust every package blindly," Kirhmajer says. "If you can, you should audit them yourself [manually]. And if you don't have the resources to do it yourself, you should use tools to automatically scan those packages."