Hackers target .NET developers with malicious NuGet packages


Threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.

Three of them have been downloaded over 150,000 times within a month, according to JFrog security researchers Natan Nehorai and Brian Moussalli, who spotted this ongoing campaign.

While the massive number of downloads could point to a large number of .NET developers who had their systems compromised, it could also be explained by the attackers’ efforts to legitimize their malicious NuGet packages.
“The top three packages were downloaded an incredible amount of times – this could be an indicator that the attack was highly successful, infecting a large amount of machines,” the JFrog security researchers said.

“However, this is not a fully reliable indicator of the attack’s success since the attackers could have automatically inflated the download count (with bots) to make the packages seem more legitimate.”

The threat actors also used typosquatting when creating their NuGet repository profiles to impersonate what looked like the accounts of Microsoft software developers working on the NuGet .NET package manager.

Package Name Owner Downloads Published Impersonated package
Coinbase.Core BinanceOfficial 121.9K 2023-02-22 Coinbase
Anarchy.Wrapper.Net OfficialDevelopmentTeam 30.4K 2023-02-21 Anarchy-Wrapper
DiscordRichPresence.API OfficialDevelopmentTeam 14.1K 2023-02-21 DiscordRichPresence
Avalon-Net-Core joeIverhagen 1.2k 2023-01-03 AvalonEdit
Manage.Carasel.Net OfficialDevelopmentTeam 559 2023-02-21 N/A
Asip.Net.Core BinanceOfficial 246 2023-02-22 Microsoft.AspNetCore
Sys.Forms.26 joeIverhagen 205 2023-01-03 System.Windows.Forms
Azetap.API DevNuget 153 2023-02-27 N/A
AvalonNetCore RahulMohammad 67 2023-01-04 AvalonEdit
Json.Manager.Core BestDeveIopers 46 2023-03-12 Generic .NET name
Managed.Windows.Core MahamadRohu 37 2023-01-05 Generic .NET name
Nexzor.Graphical.Designer.Core Impala 36 2023-03-12 N/A
Azeta.API Soubata 28 2023-02-24 N/A

The malicious packages are designed to download and execute a PowerShell-based dropper script (init.ps1) that configures the infected machine to allow PowerShell execution without restrictions.

“This behavior is extremely rare outside of malicious packages, especially taking into consideration the “Unrestricted” execution policy, which should immediately trigger a red flag,” the researchers explained.

In the next step, it downloads and launches a second-stage payload, a Windows executable described by JFrog as a “completely custom executable payload.”

This is an unusual approach compared to other attackers who will mostly use open-source hacking tools and commodity malware instead of creating their own payloads.

PowerShell dropper script
PowerShell dropper script (BleepingComputer)

The malware deployed on compromised systems can be used for stealing cryptocurrency by exfiltrating the victims’ crypto wallets using Discord webhooks, extracting and executing malicious code from Electron archives, and auto-updating by querying the attacker-controlled command-and-control (C2) server.

“Some packages did not contain any direct malicious payload. Instead, they defined other malicious packages as dependencies, which then contained the malicious script,” the researchers added.

Payloads delivered in this attack have very low detection rates and will not be flagged as malicious by Defender, the built-in anti-malware component in the Microsoft Windows operating system.

This attack is part of a broader malicious effort, with other attackers going as far as uploading more than 144,000 phishing-related packages on multiple open-source package repositories, including NPM, PyPi, and NuGet, as part of a large-scale campaign active throughout 2022.

Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

 To keep up to date follow us on the below channels.