Malicious NuGet Packages Target .NET Developers

Category: Threat Actor Activity | Industry: Technology | Level: Tactical | Source: JFrog

Hackers are inserting fake packages into the NuGet repository to infect .NET developers with cryptocurrency stealers. Security researchers from JFrog discovered the attack through three repositories masquerading as legitimate packages receiving over 150,000 downloads combined within a single month. "The top three packages were downloaded an incredible amount of times – this could be an indicator the attack was highly successful, infecting a large amount of machines," as stated by JFrog security researchers. While this could suggest a successful attack, the researchers noted download figures could have been inflated by bots to make the repositories appear more authentic. The malicious packages include names like 'Coinbase.Core,' 'Anarchy.Wrapper[.]Net,' and 'DiscordRichPresence.API.' The intention behind the illegitimate packages is to download and execute a malicious script (init.ps1) based on PowerShell. This script setups the infected host with a secondary payload which JFrog describes as a "completely custom executable payload," although some "packages did not contain any direct malicious payload. Instead, they defined other malicious packages as dependencies, which then contained the malicious script." Cryptocurrency theft was the most common outcome of the infection.

Anvilogic Scenario:

• Malicious Script/Package Installs Malware

Anvilogic Use Cases:

• Package installation
• Executable Create Script Process
• Executable File Written to Disk

‍