Crypto stealers target .NET developers in new campaign
Multiple malicious packages spotted targeting .NET developers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
.NET developers are being targeted withmalwaredesigned to steal their cryptocurrency, new reports have claimed.
Cybersecurity researchers from JFrog recently spotted an active campaign in which malicious packages were uploaded to the NuGet repository, for .NET developers to download and use.
When activated, the packages download and run a PowerShell dropper called init.ps1, which changes the endpoint’s settings to allow PowerShell scripts to be executed without restrictions.
Custom payloads
That feature alone was enough of a red flag to warrant the package’s elimination, the researchers suggest: “This behavior is extremely rare outside of malicious packages, especially taking into consideration the “Unrestricted” execution policy, which should immediately trigger a red flag.”
Still, if allowed to operate unabated, the package will download and execute a “completely custom executable payload” for the Windows environment, the researchers added. This, too, is rare behavior, the analysts said, as hackers would usually just use open-source tools to cut down on time.
To build up their legitimacy, the hackers did two things. First, they typosquatted their NuGet repository profiles, toimpersonateMicrosoftsoftware developers working on the NuGet .NET package manager.
Thousands of GitHub repositories are littered with malware>Supply chain attacks on open source repositories are reaching new highs>Here are the best ransomware protection tools right now
Second, they inflated the download numbers of the malicious packages to obscene highs, to make it as if the packages were legitimate and downloaded hundreds of thousands of times. While this may still be the case, the researchers said, it is more likely that they used bots to artificially inflate the numbers to catch developers off guard.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The top three packages were downloaded an incredible amount of times – this could be an indicator that the attack was highly successful, infecting a large amount of machines,” the JFrog security researchers said. “However, this is not a fully reliable indicator of the attack’s success since the attackers could have automatically inflated the download count (with bots) to make the packages seem more legitimate.”
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Red One isn’t perfect but it proves we need more action-packed Christmas movies
