Full Report
Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its author to sneak in a cryptocurrency wallet stealer. The malicious package, named "Tracer.Fody.NLog," remained on the repository for nearly six years. It was published by a user named "csnemess" on February 26, 2020. It masquerades as "Tracer.Fody,"
Analysis Summary
# Tool/Technique: Tracer.Fody.NLog (Rogue NuGet Package)
## Overview
A malicious NuGet package discovered to be impersonating the legitimate .NET tracing library "Tracer.Fody." Its primary purpose is to function as a cryptocurrency wallet stealer by targeting Stratis wallet data stored on the compromised host system.
## Technical Details
- Type: Malware (Wallet Stealer)
- Platform: Windows (.NET environment)
- Capabilities: Typosquatting, dependency confusion (leveraging repository impersonation), local file scanning, data exfiltration, stealthy error handling.
- First Seen: February 26, 2020 (Published Date)
## MITRE ATT&CK Mapping
- T1588 - Obtain Capabilities
- T1588.002 - Tool
- T1595 - Active Scanning
- T1595.006 - Application Layer Protocol
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- T1057 - Sensitive Data Discovery
- T1057.002 - Local Files
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Impersonation:** Masquerades as the legitimate package "Tracer.Fody" using the name "Tracer.Fody.NLog" and a similarly named author ("csnemess" vs. "csnemes").
- **Cryptocurrency Theft:** Specifically targets the Stratis wallet by scanning the default directory (`%APPDATA%\StratisNode\stratis\StratisMain`) for `*.wallet.json` files.
- **Credentials Harvesting:** Reads wallet data and associated passwords from memory or files.
- **Data Exfiltration:** Transmits stolen wallet data and passwords to a remote server.
### Advanced Features
- **Stealth and Evasion:** Hides malicious code within seemingly legitimate helper functions (e.g., `Guard.NotNull`).
- **Cyrillic Character Use:** Utilizes Cyrillic lookalike characters in the source code to further evade casual review.
- **Silent Failure Handling:** All exceptions raised during the scanning or exfiltration process are silently caught, ensuring the host application continues to run normally without visible errors, even if data leakage fails.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: `Tracer.Fody.dll` (embedded), `Tracer.Fody.NLog` (package name).
- Registry Keys: Not applicable/mentioned.
- Network Indicators: `176.113.82[.]163` (C2 server located in Russia).
- Behavioral Indicators: Scanning default Stratis wallet directory (`%APPDATA%\StratisNode\stratis\StratisMain`); attempting network connections to the specified Russian IP.
## Associated Threat Actors
The text links the associated C2 IP address to a previous NuGet impersonation attack in December 2023 involving the package "Cleary.AsyncExtensions" targeting data related to the AsyncEx library, suggesting a consistent threat actor operating within the NuGet ecosystem targeting crypto users.
## Detection Methods
- Signature-based detection: Detecting the presence of the package name `Tracer.Fody.NLog` on the NuGet repository or within project dependencies.
- Behavioral detection: Monitoring processes for attempts to read `.wallet.json` files in the Stratis directory or unauthorized outbound network connections to the known malicious IP.
- YARA rules: Could be developed to detect the embedded malicious DLL based on its specific functions or use of Cyrillic lookalike characters within the source binaries.
## Mitigation Strategies
- **Dependency Vetting:** Strictly vet packages from third-party repositories, especially when the name closely resembles a popular library (typosquatting).
- **Supply Chain Security Tools:** Utilize software supply chain security tools to scan dependencies for suspicious behaviors, age, and author reputation before integration.
- **Principle of Least Privilege:** Ensure applications and compilation processes do not run with excessive permissions that would allow reading sensitive configuration files.
- **Monitor Package Authorship:** Verify package authors match the known maintainers of the targeted legitimate libraries.
## Related Tools/Techniques
- Previous related NuGet impersonation attack targeting the AsyncEx library.
- Expected follow-on implants targeting other common .NET utility, logging, or tracing packages.