NuGet is the package manager for .NET. It enables developers to create, share, and consume useful .NET libraries. NuGet client tools provide the ability to produce and consume these libraries as “packages”.
Background
While attacks on open-source repositories are not new, NuGet has not experienced much malicious activity until now, with the exception of packages designed to distribute phishing URLs.
A sophisticated attack campaign targeting .NET developers has been found using malicious NuGet packages submitted in the public repository. These bogus packages spoof actual packages in order to entice developers and deliver crypto stealers. However, this incident aligns NuGet with NPM and PyPI repositories, which are frequently targeted by cybercriminals: malicious packages submitted to the repository contained code that triggered the download of a second-stage payload.
Working of Attack
It begins by gaining access to the victims’ crypto wallets using Discord webhooks. It then extracts and executes malicious code from Electron archives, allowing it to operate undetected. Finally, the malware maintains its efficacy by constantly upgrading itself via numerous queries to the attacker’s command-and-control server.
Typosquatting is being used by attackers to mimic numerous legitimate software programs. Surprisingly, three of these harmful files have been downloaded over 150,000 times in less than a month.
According to the Jfrog researchers, a huge number of downloads could imply a large number of developers whose computers were stolen, but it is also plausible that hackers utilized bots to artificially enhance the “popularity” of their packages in NuGet.
It is also observed that the attackers attempted to imitate Microsoft developers by using typosquatting when constructing their NuGet profiles. The packages utilized by the hackers are listed below:
| Package Name | Owner | Downloads | Published | Real Package |
| Coinbase Core | BinanceOfficial | 121 900 | 2023-02-22 | Coinbase |
| Anarchy.Wrapper.Net | Official Development Team | 30 400 | 2023-02-21 | Anarchy Wrapper |
| DiscordRichPresence.API | Official Development Team | 14 100 | 2023-02-21 | DiscordRichPresence |
| Avalon-Net-Core | joeIverhagen | 1200 | 2023-01-03 | AvalonEdit |
| Manage.Carasel.Net | Official Development Team | 559 | 2023-02-21 | N/A |
| asip.net.core | BinanceOfficial | 246 | 2023-02-22 | Microsoft.AspNetCore |
| Sys.Forms.26 | joeIverhagen | 205 | 2023-01-03 | System.Windows.Forms |
| Azetap.API | DevNuget | 153 | 2023-02-27 | N/A |
| AvalonNetCore | Rahul Mohammad | 67 | 2023-01-04 | AvalonEdit |
| Json.Manager.Core | BestDeveIopers | 46 | 2023-03-12 | Standard .NET name |
| Managed.Windows.Core | mahamadrohu | 37 | 2023-01-05 | Standard .NET name |
| Nexzor.Graphical.Designer.Core | Impala | 36 | 2023-03-12 | N/A |
| Azeta.API | Soubata | 28 | 2023-02-24 | N/A |
Payloads used in this cybercriminal operation had a low detection rate, and the defender was unable to detect these tools. As a result, just including an anti-malware component in the Microsoft Windows operating system is insufficient for identifying such attacks.
The 13 rogue packages, which had been downloaded more than 160,000 times in the previous month, have since been removed.
“The packages contained a PowerShell script ((init.ps1) that would run upon installation and initiate the download of a second stage payload that could be remotely executed,” JFrog researchers Natan Nehorai and Brian Moussalli explained. This initial script also configures the compromised machine to allow unrestricted PowerShell command execution, allowing the malware to function undetected.
Following that, the malware downloads and executes a second-stage payload, a Windows executable described as a “fully custom executable payload” by JFrog. In contrast to other attackers who normally use open-source hacking tools and commodity malware, this group is taking an unusual approach by developing their own custom payloads.
The payload uses a very rare obfuscation technique dubbed ‘.NET AoT compilation,’ which is a lot more covert than utilizing ‘off the shelf’ obfuscators while still making the binary difficult to reverse engineer. .NET AoT compilation is an optimization approach that allows apps to be compiled to native code ahead of time. Native AOT apps feature a faster startup time, smaller memory footprints, and can run on machines that do not have the .NET runtime installed.
The two-stage attack culminates in the implementation of Impala Stealer, a.NET-based persistent backdoor capable of getting unauthorized access to users’ cryptocurrency accounts.
The use of Coinbase and Discord highlights the persistent reliance on typosquatting strategies, which involve giving false package names that are similar to actual packages in order to deceive developers into downloading them.
Defending against NuGet Attacks
- The first responsibility of a developer should be to avoid importing or installing packages that include typos.
- Several packages replicate the names of well-known and respectable packages, hoping that a programmer will mistakenly add them to their project or list them as a requirement.
- Users can also prevent potentially hazardous packages from being installed by carefully reviewing the installation and initialization scripts for any suspicious code or activity.
- When you run scripts, keep a look out for those that will retrieve and execute resources from external sources.
- When downloading the package locally, be sure no scripts or binary files are accidentally executed.
- A relatively new package’s low download count may signal a risk.