Since its introduction the majority of malware authors have shunned .NET as a development platform, despite its relative popularity as a platform for developing legitimate Windows software. There are numerous potential reasons for this, but two in particular that likely have a significant influence on malware authors are .NET code’s reliance on external libraries (few people are likely to want to install a specific version of the .NET Framework in order to support someone trying to steal their banking details) and – as discussed in the first part of this series – the ease with which it can be decompiled.
That said, Forcepoint Security Labs have seen a measurable increase in the amount of .NET-based malware samples being delivered in the wild during 2017.
Article Link: https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting