Hackers this week targeted cybersecurity researchers and developers as part of a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency thieves, Trojan horses, remote access and minors.
dnSpy is a popular debugger and .NET assembly editor used to debug, modify, and decompile .NET programs. Cyber security researchers commonly use this program when scanning for malware and .NET software.
While the software is no longer actively developed by the original developers, the original source code and a new one actively developed version is available on GitHub to be cloned and edited by anyone.
Malicious dnSpy delivers a malware cocktail
This week, a malicious actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware, including clipboard hackers to steal the cryptocurrency, the Quasar remote access Trojan, a miner and a variety of unknown payloads.
This new campaign was discovered by security researchers 0day passionate and MalwareHunterTeam who saw the malicious dnSpy project initially hosted on https: // github[.]com / carbonblackz / dnSpy / then go to https: // github[.]com / isharpdev / dnSpy to sound more convincing.
Threat actors also created a website on dnSpy[.]net that has been well designed and professional looking. This site is now down, but you can see a screenshot of the archived version below.
To promote the website, the threat actors successfully performed search engine optimization to get dnSpy[.]net listed on the first page of Google. This area was also highlighted on Bing, Yahoo, AOL, Yandex and Ask.com.
As a backup plan, they also removed the search engine ads to show up as the first item in search results as shown below.
The malicious dnSpy application looks like the normal program when it is executed. It allows you to open .NET applications, debug them, and perform all normal program functions.
However, when the malicious dnSpy application [VirusTotal] is started, it will run a series of commands that create scheduled tasks that run with elevated permissions.
In one command list Shared with BleepingComputer by MalwareHunterTeam, the malware performs the following actions:
- Disables Microsoft Defender
- Use bitsadmin.exe to download curl.exe to% windir% system32 curl.exe.
- Use curl.exe and bitsadmin.exe to download a variety of payloads to the C: Trash folder and launch them.
- Disables User Account Control.
Payloads are downloaded from http: // 4api[.]net / and include a variety of malware listed below:
- % windir% system32 curl.exe – The curl program.
- C: Trash c.exe – Unknown [VirusTotal]
- C: Trash ck.exe – Unknown
- C: Trash cbot.exe – Clipboard Hacker [VirusTotal]
- C: Trash cbo.exe – Unknown [VirusTotal]
- C: Trash qs.exe – RAT Quasar [VirusTotal]
- C: Trash m.exe – Miner [VirusTotal]
- C: Trash d.exe – Legit Defender control application to disable Microsoft Defender. [VirusTotal]
- C: Trash nnj.exe – Unknown
The clipboard hijacker (cbot.exe) uses cryptocurrency addresses used in previous attacks with some success. The bitcoin address has 68 stolen bitcoin transactions totaling approximately $ 4,200.
The cryptocurrency addresses used for this campaign are:
At this time, both the dnSpy[.]net and the GitHub repository used to feed this campaign are closed.
However, security researchers and developers must constantly be on the lookout for malicious clones of popular projects that install malware on their devices.
Attacks against cybersecurity researchers and developers are not new and are becoming increasingly common to steal undisclosed vulnerabilities, source code or gain access to sensitive networks.
Last year, Google and security researchers discovered that state-sponsored North Korean hackers were targeting vulnerability researchers with various decoys. These decoys included bogus Visual Studio projects, Internet Explorer zero-day vulnerabilities, malicious cybersecurity companies, and malicious downloads of IDA Pro.
dnSpy-net-win32.zip - 6112e0aa2a53b6091b3d7834b60da6cd2b3c7bf19904e05765518460ac513bfa dnSpy-net-win64.zip - 005526de4599f96a4a1eba9de9d6ad930de13d5ea1a23fada26e1575f4e3cf85 curl.exe - 0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205 c.exe - cabc62b3077c2df3b69788e395627921c309e112b555136e99949c5a2bbab4f2 ck.exe - NA cbot.exe - 746a7a64ec824c63f980ed2194eb7d4e6feffc2dd6b0055ac403fac57c26f783 cbo.exe - e998df840b687ec58165355c1d60938b367edc2967df2a9d44b74ad38f75f439/ qs.exe - 70ad9112a3f0af66db30ebc1ab3278296d7dc36e8f6070317765e54210d06074 m.exe - 8b7874d328da564aca73e16ae4fea2f2c0a811ec288bd0aba3b55241242be40d d.exe - 6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b nnj.exe - NA