• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
cryptocurrency stealer malware distributed via 13 nuget packages

Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages

You are here: Home / General Cyber Security News / Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages
April 11, 2023

Cybersecurity researchers have thorough the inner workings of the cryptocurrency stealer malware that was distributed by using 13 malicious NuGet deals as element of a offer chain attack targeting .NET developers.

The refined typosquatting marketing campaign, which was detailed by JFrog late previous month, impersonated respectable deals to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server.

The two-stage attack culminates in the deployment of a .NET-based mostly persistent backdoor, referred to as Impala Stealer, which is capable of gaining unauthorized accessibility to users’ cryptocurrency accounts.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“The payload utilised a quite rare obfuscation approach, named ‘.NET AoT compilation,’ which is a great deal a lot more stealthy than using ‘off the shelf’ obfuscators although however making the binary challenging to reverse engineer,” JFrog instructed The Hacker News in a assertion.

.NET AoT compilation is an optimization system that enables apps to be ahead-of-time compiled to indigenous code. Indigenous AOT applications also have more rapidly startup time and lesser memory footprints, and can operate on a equipment without the need of .NET runtime put in.

The second-stage payload arrives with an car-update mechanism that allows it to retrieve new versions of the executable from a remote location. It more achieves persistence by injecting JavaScript code into Discord or Microsoft Visual Studio Code applications, thus activating the launch of the stealer binary.

Cryptocurrency Stealer Malware

The binary then proceeds to search for the installation of the Exodus Wallet desktop application and inserts JavaScript code into various HTML data files in buy to harvest and exfiltrate delicate facts to a tough-coded Discord webhook.

The JavaScript snippet, for its element, is fetched from an online paste website from wherever it is really previously been deleted. That said, it is really suspected that the code may perhaps have been utilised to steal consumer credentials and obtain other details of desire.

“The bad actors used typosquatting methods to deploy a customized destructive payload […] which targets the Exodus crypto wallet and leaks the victim’s qualifications to cryptocurrency exchanges, by applying code injection,” Shachar Menashe, senior director at JFrog Security Analysis, stated.

Future WEBINARLearn to Protected the Identity Perimeter – Tested Tactics

Enhance your enterprise security with our forthcoming professional-led cybersecurity webinar: Explore Id Perimeter procedures!

Never Pass up Out – Help you save Your Seat!

“Our investigation proves no open resource software repository is absolutely have confidence in-deserving, so basic safety measures should be taken at each individual move of the program progress lifecycle to be certain the program source chain remains protected.”

The conclusions occur as Phylum unearthed a destructive npm deal named mathjs-min that was uploaded to the repository on March 26, 2023, and discovered to harbor a credential stealer that grabs Discord passwords from the formal application as very well as web browsers like Google Chrome, Brave, and Opera.

“This offer is basically a modified edition of the extensively employed Javascript math library mathjs, and was injected with malicious code just after staying forked,” the computer software offer chain security agency mentioned. “The modified version was then published to NPM with the intention of passing it off as a minified model of the authentic mathjs library.”

Observed this short article exciting? Observe us on Twitter  and LinkedIn to read through more exceptional material we article.


Some areas of this post are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Latitude Financial Refuses to Pay Ransom
Next Post: KFC Owner Discloses Data Breach Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.