Cybersecurity researchers delved into the inner workings of a cryptocurrency stealer malware distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers.
A sophisticated typosquatting campaign, detailed by JFrog late last month, impersonated a legitimate package and ran PowerShell code designed to retrieve subsequent binaries from hardcoded servers. .
of double attack Ultimately, a persistent .NET-based backdoor called Impala Stealer was deployed to allow unauthorized access to users’ cryptocurrency accounts.
“The payload used a very rare obfuscation technique called ‘.NET AoT compilation’, which made reverse-engineering the binaries more difficult, but still more efficient than using ‘off-the-shelf’ obfuscation tools. It’s also much more stealthy,” JFrog told The Hacker News. statement.
.Net AoT compilation is Optimization method This allows you to pre-compile your app to native code. Native AOT apps have faster startup times, a smaller memory footprint, and can run on machines that don’t have the .NET runtime installed.
“Malicious actors used typosquatting techniques to deploy custom malicious payloads […] It targets Exodus crypto wallets and uses code injection to leak victims’ credentials to cryptocurrency exchanges,” said Shachar Menashe, Senior Director of JFrog Security Research.
“Our research proves that no open source software repository is completely trustworthy, so we take safeguards at every stage of the software development lifecycle to ensure a secure software supply chain. is needed.”
The findings are based on Phylum’s discovery of a malicious npm package named mathjs-min that was uploaded to the repository on March 26th, 2023 to retrieve Discord passwords from official apps and web browsers such as Google Chrome. This is due to a credential stealer that was found to be lurking. Brave, and opera.