Malware Cocktail Dropped on Researchers And Developers Through Trojanized dnSpy App

Malware Cocktail Dropped on Researchers And Developers Through Trojanized dnSpy App

In a complex malware campaign, hackers targeted cybersecurity experts and developers, distributing a malicious version of the dnSpy .NET app to deploy cryptocurrency stealers, miners, and remote access trojans. 

dnSpy is a widespread debugger and .NET assembly editor used for debugging, modifying, and decompiling .NET programs. Security experts often use this program when analyzing .NET malware and applications. While the original creators are no longer actively developing the program, the original source code and a new actively developed version are accessible on GitHub for anybody to clone and modify.

A threat actor recently posted a GitHub repository with a developed version of dnSpy that installs a slew of malware, including cryptocurrency-stealing clipboard hijackers, the Quasar remote access trojan, a miner, and a range of unknown payloads. According to security researchers 0day enthusiast and MalwareHunterTeam, the malicious dnSpy project was initially hosted at https://github[.]com/carbonblackz/dnSpy/ and then switched to https://github[.]com/isharpdev/dnSpy to seem more plausible.

The threat actors also developed a well-designed and professional-looking website at dnSpy[.]net, however, this site is currently down. To advertise the website, the threat actors used an effective search engine optimization strategy to place dnSpy[.]net on Google’s first page. Bing, Yahoo, AOL, Yandex, and displayed this domain highly. They also took out search engine advertising to appear as the first thing in search results as a backup strategy.

When the malicious dnSpy application is run, it seems to be legitimate software. It enables you to open.NET apps, debug them, and execute all of the program’s typical operations. When the malicious dnSpy app [VirusTotal] is opened, it will conduct a sequence of instructions to generate scheduled tasks with enhanced permissions.

According to a list of commands provided by MalwareHunterTeam, the malware performs the following operations:

  • Disables Microsoft Defender
  • Uses bitsadmin.exe to download curl.exe to %windir%\system32\curl.exe
  • Uses curl.exe and bitsadmin.exe to download a variety of payloads to the C:\Trash folder and launch them
  • Disables User Account Control

The payloads may be obtained at http://4api[.]net/ and include the following malware:

  • %windir%\system32\curl.exe – The curl program
  • C:\Trash\ck.exe – Unknown
  • C:\Trash\c.exe – Unknown [VirusTotal]
  • C:\Trash\cbo.exe – Unknown [VirusTotal]
  • C:\Trash\cbot.exe – Clipboard Hijacker [VirusTotal]
  • C:\Trash\m.exe – Miner [VirusTotal]
  • C:\Trash\qs.exe – Quasar RAT [VirusTotal]
  • C:\Trash\nnj.exe – Unknown
  • C:\Trash\d.exe – Legitimate Defender Control application to disable Microsoft Defender [VirusTotal]

Both the dnSpy[.]net and the GitHub repository used to power this campaign are now unavailable. On the other hand, security researchers and developers must be on the watch for malicious clones of famous projects that infect their devices with malware.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.