Hackers modify the dnSpy debugger for covert cryptocurrency mining

Researchers from MalwareHunterTeam have uncovered a malicious version of the dnSpy debugger that installs hidden miners and trojans on victims’ computers.

dnSpy is commonly used by researchers and developers to modify and decompile programs. The software is also popular among cybersecurity professionals who analyse .NET malware.

As of this writing, the debugger is no longer maintained by its original developers, but its source code доступен на GitHub. There is also a developing версия, которую любой желающий может клонировать и модифицировать. Именно этим и воспользовались хакеры.

The malicious dnSpy variant can install hidden miners, the Quasar Trojan, and software that tampers with the clipboard and steals cryptocurrency.

The cybercriminals even set up a dedicated site to promote their program (unavailable at the time of writing) and launched an advertising campaign in Bing, Yahoo, AOL, Yandex and Ask.com search results.

So far, the malicious dnSpy version is detected only by a few antivirus engines.

In late December 2021, unknown attackers exploited a vulnerability in the popular Log4j library to gain control of servers based on AMD EPYC for mining the Raptoreum cryptocurrency.

Follow ForkLog news on Twitter.