.NET developers are being targeted with malware designed to steal their cryptocurrency, new reports have claimed.
Cybersecurity researchers from JFrog recently discovered an active campaign in which malicious packages were uploaded to the NuGet repository for .NET developers to download and use.
When activated, the packages download and run a PowerShell dropper called init.ps1, which changes the endpoint’s settings to allow PowerShell scripts to be executed without restrictions.
custom payload
This behavior is extremely rare outside of malicious packages, the researchers suggest, “especially when considering the “Unrestricted” enforcement policy, which will immediately trigger a red flag.”
However, if allowed to operate without degradation, the package will download and execute a “fully customized executable payload” for the Windows environment, the researchers added. This is also a rare behavior, analysts say, as hackers often only use open-source tools to cut down on time.
To build his legitimacy, the hacker did two things. First, they type their NuGet repository profile, to Impersonation (opens in a new tab) Microsoft software developers are working on the NuGet .NET package manager.
Second, they inflated the number of downloads of malicious packages to the highest level, to make them seem as if they were legitimate and downloaded hundreds of thousands of times. While it’s still possible, the researchers say, it’s more likely that they used bots to artificially increase numbers to catch developers off guard.
JFrog security researchers said: “The top three packages were downloaded in staggering numbers – this could be an indication that the attack was very successful, infecting a large number of machines.” . “However, this is not a completely reliable indicator of attack success as attackers may have automatically increased the number of downloads (with bots) to make the packages appear legitimate. more lawful.”
Through: BleepingComputer (opens in a new tab)
