Attackers target .NET Developers with Malicious NuGet Packages

malicious NuGet packages

JFrog experts warned that attackers are targeting .NET developers through malicious packages from the NuGet repository and infecting their systems with malware that steals cryptocurrency.

Let me remind you that we also said that Researchers discovered four npm packages that were collecting user data, and also that Log4j vulnerability threatens 35,000 Java packages.

Also, information security specialists reported that 10 Malicious PyPI Packages Steal Credentials.

The attackers disguise their packages (three of which have been downloaded over 150,000 times in a month) as real-life popular tools using typesquatting.

The researchers note that a large number of downloads may indicate a large number of developers whose systems were compromised, but it is also possible that hackers deliberately used bots to artificially boost the “popularity” of their packages in NuGet.

It is also noted that the attackers used typesquatting when creating their profiles in NuGet, and tried to be like Microsoft developers. The list of packages used by the hackers can be seen below.

Package name Owner Downloads published real package
Coinbase Core BinanceOfficial 121 900 2023-02-22 Coinbase
Anarchy.Wrapper.Net Official Development Team 30 400 2023-02-21 Anarchy Wrapper
DiscordRichPresence.API Official Development Team 14 100 2023-02-21 DiscordRichPresence
Avalon-Net-Core joeIverhagen 1200 2023-01-03 AvalonEdit
Manage.Carasel.Net Official Development Team 559 2023-02-21 N/A BinanceOfficial 246 2023-02-22 Microsoft.AspNetCore
Sys.Forms.26 joeIverhagen 205 2023-01-03 System.Windows.Forms
Azetap.API DevNuget 153 2023-02-27 N/A
AvalonNetCore Rahul Mohammad 67 2023-01-04 AvalonEdit
Json.Manager.Core BestDeveIopers 46 2023-03-12 Standard .NET name
Managed.Windows.Core mahamadrohu 37 2023-01-05 Standard .NET name
Nexzor.Graphical.Designer.Core Impala 36 2023-03-12 N/A
Azeta.API Soubata 28 2023-02-24 N/A

The malicious packages were designed to download and execute a PowerShell-based dropper script (init.ps1) that configured the infected machine to run PowerShell without restrictions. In this next phase of the attack, the script downloaded and ran the payload, a Windows executable file described by the researchers as a “completely custom payload executable.”

Experts say this is a very unusual approach compared to other attackers who mostly use open-source tools and standard malware instead of creating their own payloads.

The malware eventually deployed on compromised machines could be used to steal cryptocurrency (by exfiltrating victims’ cryptocurrency wallet data via Discord webhooks), extracting and executing malicious code from Electron archives, and automatically updating from the command-and-control server.

Some packages did not contain an obvious malicious payload. Instead, they marked other malicious packages as dependencies, and those already contained a malicious script.the analysts say.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *