Attacking ASP.NET developers with malicious NuGet packages to steal login credentials

Four malicious NuGet packages designed to steal login credentials and create persistent backdoors inside web applications have been identified as part of a supply chain attack that targets ASP.NET developers This article explores identify ncrypt dll. . A threat actor using the username "hamzazaheer" published the packages, NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, between August 12 and 21, 2024.

Together, they have received over 4,500 downloads. Deliberate deception is the first step in the attack. By typosquatting the popular NCrypto package, NCryptYo poses as a cryptography library. Its namespace reflects Microsoft's own cryptography APIs, and its DLL filename, NCrypt.dll, imitates Windows' built-in CNG cryptography provider.

Crucially, the package silently installs a hidden proxy on localhost port 7152 that relays traffic to an external, attacker-controlled server by firing a static constructor as soon as the assembly loads, before any developer calls a single method. By tracking down shared infrastructure among all four packages, Socket.dev researchers were able to identify the entire campaign. In order to verify that they were created by the same operator, they observed that DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ all carry a byte-identical hardcoded authentication token encoded using GZip compression and unique Base64 substitutions.

Only 1 out of 72 security vendors flagged NCrypt.dll, according to VirusTotal analysis, demonstrating how well the obfuscation conceals the malware from common detection tools.

Only 1 out of 72 security vendors were able to identify NCrypt.dll, according to a VirusTotal analysis, underscoring the difficulties in identifying highly obfuscated.NET malware (Source: Socket.dev). After they are turned on, DOMOAuth2_ and IRAOAuth2.0 covertly gather ASP.NET Identity information, such as user account IDs, role assignments, and permission mappings, and send it via the local proxy to the attacker's server. Under the guise of a PDF conversion tool, SimpleWriter_ runs hidden processes without a window visible and writes files controlled by threat actors to disk.

Every production application that developers eventually release to end users is the true goal, not just their workstation. JIT Hooking: The Fundamental Mechanism of Infection JIT compiler hijacking is a tactic used by NCryptYo to conceal its actual behavior from security scanners.

Normally, the.NET runtime compiles methods right before they execute. This package substitutes its own hook for that process, preventing malicious code from decrypting until it is executed, which makes it imperceptible to static analysis. Learn more about our penetration testing offerings.

Taking advantage of Platforms for threat intelligence .NET protects the DLL. Reactor obfuscation with anti-debugging checks and a 14-day expiration timer. It contains five encrypted resources, the largest of which is a 126 KB payload that creates the covert proxy tunnel to the attacker's external server. Before installing any third-party libraries, developers should check package names, author identities, and download histories.

They should also keep an eye out for traffic on odd localhost ports.

Before any package enters a production build, security teams should activate automated CI/CD pipeline scanning that looks for obfuscation markers, static constructor abuse, and embedded encrypted payloads. LinkedIn, X, and Google to Get More Instant Updates, Set ZeroOwl as a Preferred Source.