Are these additional features or a full-fledged spy tool?
ReversingLabs specialists found a suspicious package in the NuGet package manager, presumably aimed at developers using the tools of the Chinese company Bozhon Precision Industry Technology, which specializes in the production of industrial and digital equipment.
The package called SqzrFramework480 was first published on January 24, 2024 and has been downloaded 2,999 times so far. A DLL was found in the package "SqzrFramework480.dll", which contains functions for creating screenshots, sending them to a remote IP address, and constantly checking the connection with the IP address every 30 seconds.
According to ReversingLabs, such actions are not considered malicious in isolation, but collectively raise suspicions and may indicate an attempt at industrial espionage, especially in systems equipped with cameras, machine vision and robotic arms.
Connecting toIP address and sending screenshots to the address
Combining these functions in a single package violates security rules and may indicate the deliberate introduction of malicious code under the guise of harmless software. Despite the potential danger, there is an alternative explanation: the package could have been leaked from a developer or a third party working with the company, and used to transfer images from the camera to the workstation.
The fact that SqzrFramework480 is associated with the Chinese firm Bozhon Precision Industry Technology is indicated by the use of the company's logo as a package icon. The package was uploaded by a Nuget user account named "zhaoyushun1999".
Currently, the SqzrFramework480 package has been removed from the repository with a message about violating the Terms of Use.
ReversingLabs emphasized that such incidents highlight the complexity of supply chain threats and the need for careful analysis of libraries before uploading them. Open repositories, such as NuGet, increasingly contain suspicious and malicious packages that aim to attract developers and introduce malicious modules into their workflows.
ReversingLabs specialists found a suspicious package in the NuGet package manager, presumably aimed at developers using the tools of the Chinese company Bozhon Precision Industry Technology, which specializes in the production of industrial and digital equipment.
The package called SqzrFramework480 was first published on January 24, 2024 and has been downloaded 2,999 times so far. A DLL was found in the package "SqzrFramework480.dll", which contains functions for creating screenshots, sending them to a remote IP address, and constantly checking the connection with the IP address every 30 seconds.
According to ReversingLabs, such actions are not considered malicious in isolation, but collectively raise suspicions and may indicate an attempt at industrial espionage, especially in systems equipped with cameras, machine vision and robotic arms.
Connecting toIP address and sending screenshots to the address
Combining these functions in a single package violates security rules and may indicate the deliberate introduction of malicious code under the guise of harmless software. Despite the potential danger, there is an alternative explanation: the package could have been leaked from a developer or a third party working with the company, and used to transfer images from the camera to the workstation.
The fact that SqzrFramework480 is associated with the Chinese firm Bozhon Precision Industry Technology is indicated by the use of the company's logo as a package icon. The package was uploaded by a Nuget user account named "zhaoyushun1999".
Currently, the SqzrFramework480 package has been removed from the repository with a message about violating the Terms of Use.
ReversingLabs emphasized that such incidents highlight the complexity of supply chain threats and the need for careful analysis of libraries before uploading them. Open repositories, such as NuGet, increasingly contain suspicious and malicious packages that aim to attract developers and introduce malicious modules into their workflows.
