BOOK THIS SPACE FOR AD
ARTICLE ADHackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.
dnSpy is a popular debugger and .NET assembly editor used to debug, modify, and decompile .NET programs. Cybersecurity researchers commonly use this program when analyzing .NET malware and software.
While the software is no longer actively developed by the initial developers, the original source code and a new actively developed version is available on GitHub to be cloned and modified by anyone.
Malicious dnSpy delivers a cocktail of malware
This week, a threat actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware, including clipboard hijackers to steal cryptocurrency, the Quasar remote access trojan, a miner, and a variety of unknown payloads.
This new campaign was discovered by security researchers 0day enthusiast and MalwareHunterTeam who saw the malicious dnSpy project initially hosted at https://github[.]com/carbonblackz/dnSpy/ and then switching to https://github[.]com/isharpdev/dnSpy to appear more convincing.
Source: MalwareHunterTeam
The threat actors also created a website at dnSpy[.]net that was nicely designed and professional-looking. This site is now down, but you can see a screenshot of the archived version below.
Source:BleepingComputer
To promote the website, the threat actors performed successful search engine optimization to get dnSpy[.]net listed on the first page of Google. This domain was also listed prominently on Bing, Yahoo, AOL, Yandex, and Ask.com.
As a backup plan, they also took out search engine ads to appear as the first item in search results, as shown below.
Source: BleepingComputer
The malicious dnSpy application looks like the normal program when executed. It allows you to open .NET applications, debug them, and perform all the normal functions of the program.
Source: BleepingComputer
However, when the malicious dnSpy application [VirusTotal] is launched, it will execute a series of commands that create scheduled tasks that run with elevated permissions.
In a list of the commands shared with BleepingComputer by MalwareHunterTeam, the malware performs the following actions:
Disables Microsoft Defender Uses bitsadmin.exe to download curl.exe to %windir%\system32\curl.exe. Uses curl.exe and bitsadmin.exe to download a variety of payloads to the C:\Trash folder and launch them. Disables User Account Control.Source: MalwareHunterTeam
The payloads are downloaded from http://4api[.]net/ and include a variety of malware listed below:
%windir%\system32\curl.exe - The curl program. C:\Trash\c.exe - Unknown [VirusTotal] C:\Trash\ck.exe - Unknown C:\Trash\cbot.exe - Clipboard Hijacker [VirusTotal] C:\Trash\cbo.exe - Unknown [VirusTotal] C:\Trash\qs.exe - Quasar RAT [VirusTotal] C:\Trash\m.exe - Miner [VirusTotal] C:\Trash\d.exe - Legitimate Defender Control application to disable Microsoft Defender. [VirusTotal] C:\Trash\nnj.exe - UnknownThe clipboard hijacker (cbot.exe) uses cryptocurrency addresses used in previous attacks with some success. The bitcoin address has stolen 68 bitcoin transactions totaling approximately $4,200.
The cryptocurrency addresses used as part of this campaign are:
Bitcoin: 175A7JNERg82zY3xwGEEMq8EyCnKn797Z4 Ethereum: 0x4dd10a91e43bc7761e56da692471cd38c4aaa426 Tron?: TPRNNuj6gpBQt4PLsNv7ZVeYHyRJGgJA61 Litecoin: LQFiuJQCfRqcR9TjqYmi1ne7aANpyKdQpXAt this time, both the dnSpy[.]net and the GitHub repository used to power this campaign are shut down.
However, security researchers and developers need to constantly be on the lookout for malicious clones of popular projects that install malware on their devices.
Attacks on cybersecurity researchers and developers are not new and are increasingly becoming more common to steal undisclosed vulnerabilities, source code, or gain access to sensitive networks.
Last year, Google and security researchers discovered that state-sponsored North Korean hackers targeted vulnerability researchers using a variety of lures. These lures included fake Visual Studio projects, Internet Explorer zero-day vulnerabilities, malicious cybersecurity companies, and malicious IDA Pro downloads.