Recent investigations revealed that a malware campaign performed by unknown threat actors had distributed a trojanized version of the [.]NET app called dnSpy. Threat actors have yet again proven that nobody is safe from cyberattacks since they operated a malware campaign that terrorizes researchers, analysts, and developers.
The dnSpy is a prominent debugger and [.]NET assembly editor utilised by cybersecurity experts to decompile, alter, and debug [.] programs. Experts usually use these applications while studying and dissecting [.]NET malware and software.
The dnSpy software is not undergoing development anymore; however, the pioneer source code and new actively upgraded version are still available on GitHub.
The malware campaign that took advantage of the dnSpy also exploited GitHub.
A threat group developed a GitHub repository containing a compiled dnSpy version that installs a massive amount of malware. According to researchers, GitHub also includes clipboard hackers to steal cryptocurrency, Quasar Remote Access Trojan, crypto miner, spyware, and numerous unidentified payloads.
Furthermore, the threat actors also developed a convincing professional website at dnSpy[.]net. They endorsed it via a formidable SEO campaign to get first results on various search engines like AOL, ask[.]com, Yahoo, Bing, Yandex, and Google Chrome.
The attacks conducted by developers and researchers are no longer new in the cybersecurity landscape. However, these actions by threat actors have been increasing exponentially for the last couple of years. In such onslaughts, the cybercriminals majorly aim to exfiltrate undisclosed source codes and vulnerabilities and obtain access to secretive and confidential networks from researchers and developers.
Cybersecurity experts know that they need to be wary of malicious clones of notable projects that install malware on their devices.
In the meantime, both the GitHub repository and the affiliated website are offline and under maintenance. However, the threat of clones for notable projects remains still up and running. This current campaign of the threat actors using dnSpy poses a significant risk as it distributes several payloads that can have catastrophic consequences for many targets.
