Recently, cybersecurity researchers uncovered the techniques used in a sophisticated supply chain attack aimed at .NET developers.
The attack employed 13 malicious NuGet packages, which impersonated legitimate packages, to execute PowerShell code and retrieve a follow-on binary from a hard-coded server.
The attack’s ultimate goal was to deploy Impala Stealer, a .NET-based persistent backdoor, to gain unauthorized access to users’ cryptocurrency accounts.
The Typosquatting Campaign
The attackers used typosquatting techniques to distribute a custom malicious payload. By impersonating legitimate packages, they managed to execute PowerShell code on target systems, which retrieved a follow-on binary from a hard-coded server.
The campaign’s sophistication lay in the rare obfuscation technique called “.NET AoT compilation,” which made the binary harder to reverse engineer and stealthier than using off-the-shelf obfuscators.
The second stage of the attack involved the deployment of Impala Stealer, a .NET-based persistent backdoor, which could gain unauthorized access to users’ cryptocurrency accounts.
Exfiltration of Sensitive Data
This cryptocurrency stealer malware employed advanced techniques, such as typosquatting and “.NET AoT compilation,” to evade detection and gain unauthorized access to users’ cryptocurrency accounts. The attack’s sophistication highlights the need for developers to be vigilant and adopt robust security measures to protect their systems and users.