Attackers target .NET Developers with Malicious NuGet Packages

malicious NuGet packages

JFrog experts warned that attackers are targeting .NET developers through malicious packages from the NuGet repository and infecting their systems with malware that steals cryptocurrency.

Let me remind you that we also said that Researchers discovered four npm packages that were collecting user data, and also that Log4j vulnerability threatens 35,000 Java packages.

Also, information security specialists reported that 10 Malicious PyPI Packages Steal Credentials.

The attackers disguise their packages (three of which have been downloaded over 150,000 times in a month) as real-life popular tools using typesquatting.

The researchers note that a large number of downloads may indicate a large number of developers whose systems were compromised, but it is also possible that hackers deliberately used bots to artificially boost the “popularity” of their packages in NuGet.

It is also noted that the attackers used typesquatting when creating their profiles in NuGet, and tried to be like Microsoft developers. The list of packages used by the hackers can be seen below.

Package nameOwnerDownloadspublishedreal package
Coinbase CoreBinanceOfficial121 9002023-02-22Coinbase
Anarchy.Wrapper.NetOfficial Development Team30 4002023-02-21Anarchy Wrapper
DiscordRichPresence.APIOfficial Development Team14 1002023-02-21DiscordRichPresence
Avalon-Net-CorejoeIverhagen12002023-01-03AvalonEdit
Manage.Carasel.NetOfficial Development Team5592023-02-21N/A
asip.net.coreBinanceOfficial2462023-02-22Microsoft.AspNetCore
Sys.Forms.26joeIverhagen2052023-01-03System.Windows.Forms
Azetap.APIDevNuget1532023-02-27N/A
AvalonNetCoreRahul Mohammad672023-01-04AvalonEdit
Json.Manager.CoreBestDeveIopers462023-03-12Standard .NET name
Managed.Windows.Coremahamadrohu372023-01-05Standard .NET name
Nexzor.Graphical.Designer.CoreImpala362023-03-12N/A
Azeta.APISoubata282023-02-24N/A

The malicious packages were designed to download and execute a PowerShell-based dropper script (init.ps1) that configured the infected machine to run PowerShell without restrictions. In this next phase of the attack, the script downloaded and ran the payload, a Windows executable file described by the researchers as a “completely custom payload executable.”

Experts say this is a very unusual approach compared to other attackers who mostly use open-source tools and standard malware instead of creating their own payloads.

The malware eventually deployed on compromised machines could be used to steal cryptocurrency (by exfiltrating victims’ cryptocurrency wallet data via Discord webhooks), extracting and executing malicious code from Electron archives, and automatically updating from the command-and-control server.

Some packages did not contain an obvious malicious payload. Instead, they marked other malicious packages as dependencies, and those already contained a malicious script.the analysts say.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *