Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its creator to sneak into cryptocurrency wallet stealers.
The malicious package named “Tracer.Fody.NLog” remained in the repository for nearly six years. This was published on February 26, 2020 by a user named ‘csnemess’. It is impersonating ‘Tracer.Fody’ managed by ‘csnemes’. The package remains available at the time of writing and has been downloaded at least 2,000 times, 19 of which were in the past 6 weeks for version 3.2.4.
“It pretends to be a standard .NET tracing integration, but it actually acts as a stealer for crypto wallets,” said socket security researcher Kirill Boychenko. “Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads the *.wallet.json file, extracts wallet data, and leaks it along with the wallet password to attack Russian actor-controlled infrastructure (176.113.82).[.]163″
The software supply chain security firm said the threat utilized a number of tactics that allowed it to evade casual review, including imitating legitimate maintainers by using names with one letter difference (‘csnemes’ vs. ‘csnemess’), using similar Cyrillic characters in the source code, and hiding the malicious routine within a generic helper function (‘Guard.NotNull’) used during normal program execution.
When the project references the malicious package, it starts working by scanning the default Stratis wallet directory on Windows (“%APPDATA%\\StratisNode\\stratis\\StratisMain”), reading the *.wallet.json file and the password in memory, and exfiltrating it to an IP address hosted in Russia.
“All exceptions are silently caught, so even if the withdrawal fails, the host application continues to run without visible errors, and if the call is successful, the wallet data is silently leaked to the threat actor’s infrastructure,” Boichenko said.
According to Socket, the same IP address was previously used in connection with another NuGet impersonation attack in December 2023, in which the threat actor published a package named “Cleary.AsyncExtensions” under the alias “stevencleary” that included the ability to siphon wallet seed phrases. This package is called to impersonate the AsyncEx NuGet library.
Our findings demonstrate how malicious typosquats that mirror legitimate tools operate covertly and without attracting attention across the open source repository ecosystem.
“Defenders should expect to see similar activity and subsequent implants that extend this pattern,” Socket said. “Possible targets include other logging and tracing integrations, argument validation libraries, and utility packages common in .NET projects.”
Source link
