.NET developers are being targeted by malware designed to steal cryptocurrencies, a new report claims.
Cybersecurity researchers at JFrog recently discovered an active campaign where malicious packages were uploaded to NuGet repositories for .NET developers to download and use.
Once activated, the package downloads and runs a PowerShell dropper called init.ps1. This will change the endpoint settings to allow PowerShell scripts to run without restrictions.
Custom payload
That feature alone was a red flag enough to justify removing the package, the researchers suggest.
Still, if allowed to operate unabated, the package would download and execute a “fully customized executable payload” for the Windows environment, the researchers added. Analysts say this is also unusual behavior as they only use open source tools to save time.
To establish legitimacy, the hackers did two things. First, I typosquatted the NuGet repository profile to fake it. (opens in new tab) Microsoft software developer working on the NuGet .NET package manager.
Second, they inflated the number of downloads of their malicious packages to obscene heights, making them appear legitimate and downloading them hundreds of thousands of times. While this may still be the case, researchers say the bot was likely used to artificially inflate the numbers to catch developers off guard.
“The top three packages were downloaded an incredible number of times, which may indicate that the attack was very successful and infected a large number of machines,” said security researchers at JFrog. said. “However, this is not a completely reliable indicator of a successful attack, as the attackers (using bots) may have automatically increased the number of downloads to make the package look more legitimate. because there is
Via: BleepingComputer (opens in new tab)