Data-stealing VS Code extensions removed from official Marketplace

Developers who specialize in writing smart (primarily Ethereum) contracts using the Solidity programming language have been targeted via malicious VS Code extensions that install malware that steals cryptocurrency wallet credentials.

“Based on shared infrastructure and obfuscation characteristics, we attribute all three extensions to a single threat actor, which we track as MUT-9332, that was also behind a recently reported campaign to distribute a Monero cryptominer via backdoored VS Code extensions,” Datadog security researchers have shared.

The unearthed campaign

The three malicious extensions were offered for download on Microsoft’s Visual Studio Code (VS Code) Marketplace.

Solaibot, among-eth, and blankebesxstnion appeared to be legitimate extensions that ostensibly help users with syntax scanning and vulnerability detection.

But instead of increasing security, they undermined it by:

• Configuring themselves to be loaded whenever VS Code was launched or when a Solidity source file was opened
• Downloading a malicious file that starts a multi-stage infection chain, which leads to the installation of a credential-stealing extension on present Chromium-based browsers (extension.zip) and the installation of a separate executable (myau.exe) that also searches for cryptocurrency wallet credentials and browser extensions and captures keystrokes.

Myau.exe employs a variety of evasion techniques: it assesses system configurations to avoid execution in virtualized environments and its code is obfuscated and packed.

“The next-stage component, myaunet.exe, functions primarily as a credential and infostealer. It enumerates LevelDB files within application data directories for Discord, Chromium-based browsers, cryptocurrency wallets, and Electron applications,” the researchers shared.

“The malware modifies the Windows hosts file to sinkhole connections to domains associated with antivirus vendors, sandbox environments, and threat intelligence providers. Additionally, the malware creates a firewall rule via netsh to block outbound connectivity to Microsoft update and telemetry infrastructure, likely to prevent detection and interference from Windows security updates or Defender cloud-based protections.”

Once the target data is exfitrated, the malware downloads and executes the Quasar remote access trojan.

How to avoid malicious VS Code extensions

As Koi Security researchers demonstrated last year, publishing malicious extensions on the VS Code Marketplace and hitting a multitude of victims is relatively easy.

The three malicious VS Code extensions spotted by Datadog have been downloaded fewer than 50 times before getting removed, but there are indicators that this campaign will likely continue.

“At time of writing, long after the removal of the extensions from the VS Code Marketplace, we observed MUT-9332 make edits to multiple intermediate payloads,” the researchers noted.

Programmers who have downloaded one of the three extensions should check for malicious browser extensions and the presence of other indicators of compromise on their machines.

More importantly, VS Code Marketplace users should vet the extensions they want to download before proceeding with use.

The general advice is:

• Stick to reputed (verified) publishers
• Look at reviews for red flags
• If the extension is open source inspect the source code for suspicious behavior
• Consider using trusted security extensions that flag potentially unsafe ones
• Be on the lookout for typosquatting extensions

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!