Beware the Stealthy Infostealer! A recent discovery by cybersecurity experts has shed light on a cunning new threat lurking within Visual Studio Code extensions. These malicious extensions, cleverly disguised as harmless tools, are capable of stealing sensitive data right under your nose.
The story begins with two seemingly innocent extensions, Bitcoin Black and Codo AI, which were found on the VS Code marketplace. But here's where it gets controversial: these extensions were actually delivering a stealthy infostealer, a malicious DLL-based tool, through a clever combination of social engineering and technical trickery.
The Koi Security research team published a detailed report on Monday, exposing the inner workings of this campaign. What's unique about this attack is the way the attacker packaged the tools. Bitcoin Black, posing as a cryptocurrency-themed color scheme, and Codo AI, offering a functional coding assistant, both executed hidden scripts that downloaded a malicious payload.
Bitcoin Black raised suspicions with its activation events and PowerShell execution, uncommon for legitimate themes. Codo AI, however, took it a step further by providing genuine coding features, making it harder to detect during installation and use. This is the part most people miss: the attacker's clever disguise.
The researchers analyzed multiple versions of these extensions and observed rapid improvements. Version 2.5.0 relied on a complex PowerShell routine to download and extract a password-protected ZIP archive. By version 3.3.0, the attacker had streamlined the process, using a hidden batch script to fetch an executable and DLL directly over HTTP, ensuring efficient and stealthy delivery.
The infostealer's capabilities are extensive. It collects clipboard contents, installed programs, running processes, desktop screenshots, stored WiFi credentials, and browser session data. The attacker used DLL hijacking, pairing a legitimate Lightshot executable with their malicious DLL, allowing the malware to run under the guise of a trusted binary.
Koi Security identified command-and-control (C2) domains designed to receive the exfiltrated data, along with a unique mutex name to prevent multiple instances from running simultaneously. Both extensions were attributed to the same threat actor, experimenting with different lures.
"A developer could install what appears to be a harmless theme or a useful AI tool, and within seconds, their sensitive data is being sent to a remote server," the researchers explained. "This highlights the evolving threat landscape and the need for developers to remain vigilant."
