This week, a threat actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware, including clipboard hijackers to steal cryptocurrency, the Quasar remote access trojan, a miner, and a variety of unknown payloads. This new campaign was discovered by security researchers 0day Enthusiast and MalwareHunterTeam who saw the malicious dnSpy project initially hosted at https://github[.]com/carbonblackz/dnSpy/ and then switching to https://github[.]com/isharpdev/dnSpy to appear more convincing. The threat actors also created a website at dnSpy[.]net that was nicely designed and professional-looking. At this time, both the website and the GitHub repository used to power this campaign have been shut down.
Analyst Notes
One common tactic for distributing malware, other than delivering payloads with malicious documents in phishing emails, is to try a trick users into downloading trojanized versions of legitimate software. Always make sure that you are downloading software from the official source and note that it is not uncommon for pages where trojanized software is hosted to be one of the top search results when searching for that software.
https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/
