Cryptocurrency Stealing Malware Distributed via 13 NuGet Packages
Cybersecurity researchers have detailed the inner workings of cryptocurrency-stealing malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers.
The advanced typing campaign, spotted by JFrog late last month, masquerades as a legitimate package for executing PowerShell code designed to fetch advanced binaries from hard-coded servers.
That two level attack culminating in the deployment of a .NET-based persistent backdoor, called the Impala Stealer, which was able to gain unauthorized access to users’ cryptocurrency accounts.
“The payload uses a very rare obfuscation technique, called ‘.NET AoT compilation’, which is far more stealthy than using an ‘off the shelf’ obfuscator while still making binaries difficult to reverse engineer,” JFrog told The Hacker News in a statement.
.CLEAN AoT compilation is optimization technique which allows apps to be precompiled to native code. Native AOT apps also have a faster startup time and smaller memory footprint, and can run on machines without the .NET runtime installed.
“Bad actors use typosquatting techniques to deploy custom malicious payloads (…) that target the Exodus crypto wallet and leak victims’ credentials to cryptocurrency exchanges, using code injection,” said Shachar Menashe, senior director at JFrog Security Research. .
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
“Our investigation proves that no open source software repository can be truly trusted, so security measures must be taken at every step of the software development lifecycle to ensure the software supply chain remains secure.”
The findings came when Phylum discovered a malicious npm package called mathjs-min that was uploaded to the repository on March 26, 2023, and was found to harbor credential thieves that retrieved Discord passwords from official apps as well as web browsers such as Google Chrome, Brave, and Opera.