Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware

Mar 22, 2023Ravie LakshmananDevOpsSec / Malware

The NuGet[1]
repository is the target of a new “sophisticated and
highly-malicious attack” aiming to infect .NET developer systems
with cryptocurrency stealer malware.

The 13 rogue packages, which were downloaded more than 160,000
times over the past month, have since been taken down.

“The packages contained a PowerShell script that would execute
upon installation and trigger a download of a ‘second stage’
payload, which could be remotely executed,” JFrog researchers Natan
Nehorai and Brian Moussalli said[2].

While NuGet packages have been in the past found to contain vulnerabilities[3]
and be abused to propagate phishing links[4], the development marks
the first-ever discovery of packages with malicious code.

Three of the most downloaded packages – Coinbase.Core,
Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted
for 166,000 downloads, although it’s also possible that the threat
actors artificially inflated the download counts using bots to make
them appear more legitimate.

The use of Coinbase and Discord underscores the continued
reliance on typosquatting techniques, in which fake packages are
assigned names that are similar to legitimate packages, in order to
trick developers into downloading them.

The malware incorporated within the software packages functions
as a dropper script and is designed to automatically run a
PowerShell code that retrieves a follow-on binary from a hard-coded
server.

As an added obfuscation mechanism, some packages did not embed a
malicious payload directly, instead fetching it via another
booby-trapped package as a dependency.

Even more troublingly, the connection to the command-and-control
(C2) server occurs over HTTP (as opposed to HTTPS), rendering it
vulnerable to an adversary-in-the-middle (AiTM) attack.

The second-stage malware is what JFrog describes as a
“completely custom executable payload” that can be dynamically
switched at will since it’s retrieved from the C2 server.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT[5]

The second-stage delivers several capabilities that include a
crypto stealer and an auto-updater module that pings the C2 server
for an updated version of the malware.

The findings come as the software supply chain has become an
increasingly lucrative pathway to compromise developers’ systems
and stealthily propagate backdoored code to downstream users.

“This proves that no open source repository is safe from
malicious actors,” Shachar Menashe, senior director at JFrog
Security Research, said in a statement shared with The Hacker
News.

“.NET developers using NuGet are still at high risk of malicious
code infecting their environments and should take caution when
curating open-source components for use in their builds – and at
every step of the software development lifecycle – to ensure the
software supply chain remains secure.”

Found this article interesting? Follow us on Twitter [6]
and LinkedIn[7]
to read more exclusive content we post.

References

  1. ^
    NuGet
    (learn.microsoft.com)
  2. ^
    said
    (jfrog.com)
  3. ^
    contain
    vulnerabilities     (thehackernews.com)
  4. ^
    propagate phishing links
    (thehackernews.com)
  5. ^
    RESERVE YOUR SEAT
    (thn.news)
  6. ^
    Twitter
     (twitter.com)
  7. ^
    LinkedIn
    (www.linkedin.com)

Read more