Recent discoveries have revealed a series of harmful Visual Studio Code (VSCode) extensions infiltrating the VSCode marketplace, designed to unleash heavily disguised PowerShell payloads. These attacks focus on software developers and the cryptocurrency sector, posing a significant risk through supply chain vulnerabilities.

Timeline and Discovery

According to a report by Reversing Labs, these destructive extensions emerged in October 2023 on the VSCode marketplace. "In October 2023, our research team detected a surge of malicious VSCode extensions equipped with downloader capabilities, all linked to the same attack campaign," stated the Reversing Labs report. This campaign was initially reported in early October, and since then, the team has been diligently monitoring its progress.

Additional Findings

A package related to this campaign, targeting the cryptocurrency community, was identified on NPM. Security researcher Amit Assaraf released a separate report corroborating these findings, highlighting similar malicious activities.

Details of Malicious Extensions

The campaign comprises 18 malicious VSCode extensions, specifically targeting cryptocurrency investors and those using productivity tools like Zoom. These extensions, listed as follows, have been uploaded to the VSCode marketplace:

EVM.Blockchain-Toolkit

VoiceMod.VoiceMod

ZoomVideoCommunications.Zoom

ZoomINC.Zoom-Workplace

Ethereum.SoliditySupport

ZoomWorkspace.Zoom (three versions)

ethereumorg.Solidity-Language-for-Ethereum

VitalikButerin.Solidity-Ethereum (two versions)

SolidityFoundation.Solidity-Ethereum

EthereumFoundation.Solidity-Language-for-Ethereum (two versions)

SOLIDITY.Solidity-Language

GavinWood.SolidityLang (two versions)

EthereumFoundation.Solidity-for-Ethereum-Language On NPM

attackers uploaded five versions of the package 'etherscancontacthandler,' between versions 1.0.0 and 4.0.0, accumulating 350 downloads in total. To enhance the perception of legitimacy, they manipulated reviews and inflated installation counts.

Technical Analysis

Reversing Labs reports that the extensions shared a common malicious functionality: they were programmed to download obfuscated secondary payloads from questionable domains. Some of these domains deceptively resembled legitimate sites, including 'microsoft-visualstudiocode[.]com' and 'captchacdn[.]com,' alongside others with TLDs like '.lat' and '.ru.' BleepingComputer's investigation revealed that the secondary payloads consisted of heavily obscured Windows CMD files executing covert PowerShell commands. These commands decrypted AES-encrypted data within additional CMD files, delivering and executing further malicious payloads on targeted systems. Notably, a payload identified as %temp%\MLANG.DLL was flagged as malicious by 27 of 71 VirusTotal antivirus engines.

The threat posed by these malicious VSCode extensions underscores the importance of thoroughly validating software dependencies' safety and authenticity, particularly in the open-source ecosystem. With a growing number of incidents involving harmful npm packages, it's crucial for developers to ensure the integrity of their development environments to mitigate potential supply chain attacks effectively.

The link has been copied!