"The malicious package, named "Tracer.Fody.NLog," remained on the repository for nearly six years. It was published by a user named "csnemess" on February 26, 2020. It masquerades as "Tracer.Fody," which is maintained by "csnemes." The package continues to remain available as of writing, and has been downloaded at least 2,000 times, out of which 19 took place over the last six weeks for version 3.2.4."
""It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer," Socket security researcher Kirill Boychenko said. "Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled infrastructure in Russia at 176.113.82[.]163.""
"The software supply chain security company said the threat leveraged a number of tactics that allowed it to elude casual review, including mimicking the legitimate maintainer by using a name that differs by a single letter ("csnemes" vs. "csnemess"), using Cyrillic lookalike characters in the source code, and hiding the malicious routine within a generic helper function ("Guard.NotNull") that's used during regular program execution."
A malicious NuGet package named Tracer.Fody.NLog impersonated the legitimate Tracer.Fody package by altering the maintainer name and using lookalike characters. The package was published on February 26, 2020, remained on the repository for nearly six years, and amassed at least 2,000 downloads with recent installs. The embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files and in-memory passwords, and exfiltrates collected data to a Russian-hosted IP address 176.113.82[.]163. The threat used tactics to evade review and silently catches exceptions so host applications continue running.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]