Researchers have identified a popular open source package that may hide industrial espionage malware.
“SqzrFramework480” is a .NET dynamic link library (DLL) that appears to belong to Bozhon Precision Industry Technology Co., a Chinese manufacturer of consumer electronics and various industrial technologies. The file’s claimed functions include managing and creating graphical user interfaces (GUIs), initializing and configuring computer vision libraries, adjusting robotic motion settings, and more. It was uploaded to the open source NuGet repository on January 24 and already has 3,000 downloads, as of this writing.
In the end it may be nothing more than it says it is. But researchers at ReversingLabs have flagged SqzrFramework480 as suspicious in a new report, thanks to a hidden method within it that appears to do some pretty malicious things: take screenshots, open a socket, and exfiltrate data on a hidden IP address.
Is SqzrFramework480 an OT backdoor?
Software developed by Chinese companies was used in malicious supply chain attacks before and cyber threats to industrial systems I’m nothing new there.
Is SqzrFramework480 a continuation of these trends? The answer lies in his method, “Init”.
Init’s work begins by pinging a remote IP address. This IP address is stored as a byte array, where each byte is an ASCII encoded character.
If the ping is unsuccessful, the program goes to sleep and tries again 30 seconds later. If successful, it opens a socket and connects to that IP address. It then takes a screenshot of the monitor it’s installed on, packs it into a byte array, and sends it through the socket.
On the one hand, the researchers speculated, this could simply be a mechanism for streaming images from a Bozhon camera to a workstation. But some contextual evidence confounds this theory.
For one thing, the names and classes within SqzrFramework480 tend to have rather anonymous labels; nowhere, for example, could it be inferred that it takes screenshots. And why is the pinging IP address hidden as bytes? “This is a suspicious, if not unusual, practice,” notes Petar Kirhmajer, the report’s author. “Why not just include the IP [in plaintext]?”
In addition to the efforts made to obfuscate Init, there is also the fact that the package was listed by an anonymous NuGet account whose only previous listing was “SqzrFramework480.Faker”, a redacted version of SqzrFramework480.
In lieu of any hard evidence, SqzrFramework480 remains active and available for download.
“My suggestion would be to not blindly trust every package,” Kirhmajer says. “If you can, you should check them out for yourself [manually]. And if you don’t have the resources to do it yourself, you should use tools to automatically scan those packages.”