Analyzing Impala Stealer – Payload of the first NuGet attack campaign
In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of our regular activity of exposing supply chain attacks.
Using the typosquatting technique, the attackers propagated 13 malicious packages which impersonated legitimate packages, some of which are very popular. The attackers leveraged the NuGet package structure, which allows inserting PowerShell scripts that will be executed upon installation, in order to perform a two-stage attack. In the first stage, the
init.ps1 PowerShell script bundled in the malicious package is automatically executed upon installation, in order to download and execute a Windows executable. In the second stage, the downloaded executable installs itself as a persistent backdoor, before targeting the Exodus Wallet desktop application by using code injection, in order to gain access to the user’s cryptocurrency accounts.
Since the payload was referred to by (some of) the malicious packages as Impala, a name we also saw in the payload’s debug strings, we decided to name this custom payload Impala Stealer.
NuGet malicious packages that contained Impala Stealer
|Package Name||Owner||Download Count||Publish Date||Impersonated package|
|Json.Manager.Core||BestDeveIopers||46||2023-03-12||Generic .NET name|
|Managed.Windows.Core||MahamadRohu||37||2023-01-05||Generic .NET name|
Impala Stealer technical analysis
The main payload of the Impala Stealer is an executable file. In this section we will elaborate on the payload’s actions, and what we were able to conclude from its analysis.
The payload’s capabilities can be divided into three types:
The payload is an executable that seems to be a .NET application compiled natively using .NET Ahead of Time (AoT) compilation, which is a process that converts the .NET intermediate language into a native language (in our case – x86-64). This AoT compilation was probably done as an obfuscation step, as native code is harder to reverse engineer than intermediate language binaries:
View of strings from within the binary showing that it is a .NET application compiled AOT
The payload also embeds two additional binary executables:
- A custom updater app that we will analyze later in this post
- Rasar, a tool used for extracting and compressing Electron Archives
High-level overview of Impala Stealer
Impala Stealer and Updater flow graph
Installation and auto-update mechanism
Upon execution, the payload first checks whether the directory
%USERPROFILE%\.nuget exists or not. If it doesn’t exist, the payload exits immediately. This is probably a way to make sure that the payload was dropped into the system via NuGet.
Checking for the existence of the %USERPROFILE%\.nuget folder
Afterwards, the payload drops another executable (which was embedded in the original payload) to
%LOCALAPPDATA%\Squirrel-2021\Updater.exe, and adds this path to the registry key found at
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, in order to make sure that it will be executed every time a user logs in to the system.
Installation of the malware via the Run registry key
This executable, which we dubbed “The Updater,” is a .NET executable that tries to download an executable from a remote location, then saves it to the path
%PROGRAMDATA%\XboxGameBar\RuntimeBroker.exe, and finally executes it.
Action performed by the updating mechanism
The URL that is passed to the
DownloadData function is the same URL used by the PowerShell script in the NuGet package to download the payload. Hence, we concluded that this executable probably keeps the malware up to date, and protects it from deletion.
Achieving Persistency through Code Injection
RuntimeBroker.exe (the main Impala executable, downloaded by the Updater) on startup.
Code injected into Discord
Code injected into VS Code
“Liberating” funds from your Exodus Wallet
After basing itself on the system, Impala begins execution of its main payload.
The payload searches for an installation of the Exodus Wallet Desktop Application. If found, the malware then looks for the file
Code injected into VS Code
At the time of writing, this paste was already deleted, and so we couldn’t obtain its contents, but we can speculate about its functionality from the performed operations:
src\static\wallet.htmlImpala adds the url https://discord.com/ to the Content-Security-Policy, allowing pages to connect to Discord domains – .
Code injected into Exodus’ src\static\wallet.html
This is performed in order to allow Impala to exfiltrate sensitive data via a hardcoded Discord webhook: https[:]//discord[.]com/api/webhooks/1076330498026115102/MLkgrUiivlgAoFWyvkSpLsBE3DMaDZd9cxPK3k9XQPyh6dw55jktV6qfDgxbs5AaY7Py
discord.comto the wallet domains:
Code injected into Exodus’ src\app\main\index.js
This is probably done for the same reason as mentioned above (exfiltration through Discord).
src\app\wallet\index.jsImpala adds the code that it pulled from the online paste after an existing call to
Code injected into Exodus’ src\app\wallet\index.js
src\app\wallet\index.js, and were able to tell that the call to
_loadLightningCreds is done after the Exodus Wallet user inserts their password to login to the wallet. At that point, the
_loadLightningCreds uses the credentials to decrypt several files.
After injecting the malicious code into Exodus, Impala sends a message to the hardcoded Discord webhook mentioned earlier, containing the following data:
user's Exodus has been pwned sorry g
Exodus Detection by Impala
- avatar_url: https[:]//www.startpage[.]com/av/proxy-image?piurl=https%3A%2F%2Fupload.wikimedia.org%2Fwikipedia%2Fen%2F9%2F9b%2FTame_Impala_-_Currents.png&sp=1676686318T1f4463dbc9a9476b9d1c842a525a4dcfb610c3d6875da7a162ab7fc8136a17b2
This message is probably used to notify the attacker about a successful attack.
In conclusion, supply chain attacks, which have been on the rise in the last few years, should also be considered a serious risk for NuGet developers. Our research team had exposed for the first time a sophisticated attack, in which several malicious packages were propagated, relying on typosquatting techniques and impersonating legitimate packages. According to our analysis, the attack’s payload mainly targets the Exodus Wallet application by injecting it with malicious code meant to leak the victim’s credentials to cryptocurrency exchanges.
.NET developers — see our previous blog post for tips on how to identify and protect yourself from malicious NuGet packages.
Stay up-to-date with JFrog Security Research
In addition to exposing new security vulnerabilities and threats, JFrog provides developers and security teams easy access to the latest relevant information for their software with automated security scanning by JFrog Xray. This includes enhanced CVE metadata and remediation advice.
Follow us for product updates including automated vulnerability and malicious code detection to defend against the latest emerging threats in our research website, security research blog posts, and on Twitter @JFrogSecurity.