hamzazaheer

hamzazaheer is the account identified by Socket’s Threat Research Team as publishing a NuGet supply-chain campaign targeting ASP.NET web application developers. Between August 12 and August 21, 2024, the actor published four malicious NuGet packages: NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_. The packages accumulated a little over 4,500 downloads at the time of reporting. The campaign used a multi-stage design. NCryptYo typosquatted the legitimate NCrypto package and masqueraded as a cryptography library, including use of the namespace "NCrypt" and a DLL name mimicking the Windows CNG provider path. It was described as a heavily obfuscated stage-1 dropper that executes on assembly load via a static constructor, installs runtime functionality that decrypts hidden code, and deploys a stage-2 component that establishes a localhost proxy on 127.0.0.1:7152. That proxy relays traffic to an attacker-controlled external C2 whose address is dynamically retrieved at runtime. VirusTotal analysis cited in the report showed very low detection for NCrypt.dll. The companion packages DOMOAuth2_ and IRAOAuth2.0 targeted ASP.NET Identity authorization workflows. Both communicated with hardcoded https://localhost:7152/api/auth/ endpoints through the local proxy and exfiltrated authorization data including user accounts and role/permission mappings. DOMOAuth2_ exposed an AddOAuth IServiceCollection extension and supported endpoints including get-permissions, get-role-permissions, update-role-permissions, and update-user-permissions. It used a hardcoded attacker auth token by default if no API key was supplied, and returned C2 responses through a dynamic Message.Data field, enabling attacker-controlled permission injection into the application. IRAOAuth2.0 implemented the same four exfiltration endpoints and inlined the same hardcoded token. SimpleWriter_ presented itself as a PDF conversion utility but unconditionally wrote files and executed processes with hidden windows. It registered via dependency injection using AddWriterService, beaconed to a localhost-backed auth endpoint, and executed ExternalLib\Windows\wkhtmltopdf.exe with hidden process settings. The report states this binary was expected to be placed by NCryptYo. Socket reported that three packages—DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—shared a byte-identical embedded credential that decoded to the same API key and ProjectId, and that build artifacts, metadata quirks, and exposed PDB paths indicated common authorship across the packages. The likely objective described in the report was to compromise applications built with these dependencies so deployed production systems would continue exfiltrating data and accept malicious authorization-rule changes. No additional aliases or sub-groups were provided in the content.