Crypto stealers target .NET developers in new campaign

.NET developers are being targeted with malware designed to steal their cryptocurrency, new reports have claimed. Cybersecurity researche...

.NET developers are being targeted with malware designed to steal their cryptocurrency, new reports have claimed.

Cybersecurity researchers from JFrog recently spotted an active campaign in which malicious packages were uploaded to the NuGet repository, for .NET developers to download and use. 

When activated, the packages download and run a PowerShell dropper called init.ps1, which changes the endpoint’s settings to allow PowerShell scripts to be executed without restrictions.

Custom payloads

That feature alone was enough of a red flag to warrant the package’s elimination, the researchers suggest: "This behavior is extremely rare outside of malicious packages, especially taking into consideration the "Unrestricted" execution policy, which should immediately trigger a red flag." 

Still, if allowed to operate unabated, the package will download and execute a “completely custom executable payload” for the Windows environment, the researchers added. This, too, is rare behavior, the analysts said, as hackers would usually just use open-source tools to cut down on time. 

To build up their legitimacy, the hackers did two things. First, they typosquatted their NuGet repository profiles, to impersonate Microsoft software developers working on the NuGet .NET package manager. 

Second, they inflated the download numbers of the malicious packages to obscene highs, to make it as if the packages were legitimate and downloaded hundreds of thousands of times. While this may still be the case, the researchers said, it is more likely that they used bots to artificially inflate the numbers to catch developers off guard. 

"The top three packages were downloaded an incredible amount of times – this could be an indicator that the attack was highly successful, infecting a large amount of machines," the JFrog security researchers said. "However, this is not a fully reliable indicator of the attack's success since the attackers could have automatically inflated the download count (with bots) to make the packages seem more legitimate."

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/OMKNIRf
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Crypto stealers target .NET developers in new campaign
Crypto stealers target .NET developers in new campaign
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/03/crypto-stealers-target-net-developers.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/03/crypto-stealers-target-net-developers.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy