Threat Research

Analysis of the First NuGet (.Net) Malicious Package Attack | JFrog

Securonix

JFrog Security analyzes a NuGet supply-chain attack delivering Impala Stealer, a custom crypto stealer used against Exodus Wallet via typosquatting NuGet packages. The campaign uses a two-stage payload: a PowerShell init.ps1 that downloads and runs a Windows executable, followed by an updater that injects code into Exodus to exfiltrate credentials via a Discord webhook. #ImpalaStealer #NuGet #ExodusWallet #Rasar #Discord

Keypoints

  • Attackers used typosquatting to propagate 13 malicious NuGet packages impersonating legitimate ones.
  • A two-stage payload executes: an init.ps1 script runs on install to download and execute a Windows executable.
  • The main payload, Impala Stealer, is a .NET AoT-compiled app with an updater and a tool named Rasar for handling Electron Archives.
  • Persistence is achieved via the Run registry key, auto-starting the updater on user login.
  • Code injection into Discord and VS Code enables RuntimeBroker.exe to run on startup and maintain access.
  • Exodus Wallet is targeted by extracting and injecting code into app.asar, then exfiltrating credentials via a hardcoded Discord webhook.

MITRE Techniques

  • [T1195] Supply Chain Compromise – “Using the typosquatting technique, the attackers propagated 13 malicious packages which impersonated legitimate packages.”
  • [T1059.001] PowerShell – “init.ps1 PowerShell script bundled in the malicious package is automatically executed upon installation”
  • [T1105] Ingress Tool Transfer – “The Updater … tries to download an executable from a remote location, then saves it to the path %PROGRAMDATA%XboxGameBarRuntimeBroker.exe, and finally executes it.”
  • [T1547.001] Run Keys / Startup Folder – “adds this path to the registry key found at HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”
  • [T1055] Process Injection – “payload injects JavaScript code into them, causing them to run RuntimeBroker.exe (the main Impala executable, downloaded by the Updater) on startup.”
  • [T1041] Exfiltration – “hardcoded Discord webhook … containing data about Exodus has been pwned”
  • [T1027] Obfuscated/Compressed Files and Information – “AoT compilation … was probably done as an obfuscation step”

Indicators of Compromise

  • [URL] Discord webhook used for exfiltration – https://discord.com/api/webhooks/1076330498026115102/MLkgrUiivlgAoFWyvkSpLsBE3DMaDZd9cxPK3k9XQPyh6dw55jktV6qfDgxbs5AaY7Py
  • [File] resourcesapp.asar and the Exodus app archive path – %LOCALAPPDATA%exodusapp-resourcesapp.asar
  • [File] XboxGameBarRuntimeBroker.exe – %PROGRAMDATA%XboxGameBarRuntimeBroker.exe
  • [File] Rasar (Electron Archive extractor) tool
  • [Directory] %USERPROFILE%.nuget – used as a check for NuGet-based drop
  • [URL] online paste URL referenced for injected code (paste site) – (paste URL referenced by the payload)

Read more: https://jfrog.com/blog/impala-stealer-malicious-nuget-package-payload/