Malicious extensions that install a cryptominer were released just as the weekend started.
Developers using Microsoft’s Visual Studio Code (VSCode) editor are being warned to delete, or at least stay away from, 10 newly published extensions which will trigger the installation of a cryptominer.
The warning comes from researchers at ExtensionTotal, who said possibly as many as 1 million of these malicious extensions, which pretend to be popular development tools, may have been installed since April 4, when they were published on Microsoft’s Visual Studio Code Marketplace. However, the researchers also suspect the threat actors may have inflated the download numbers.
Regardless, once installed, the extensions download and execute a PowerShell loader that establishes persistence, disables security services and deploys the XMRig cryptominer from a remote command and control (C2) server.
It’s the latest in a long line of attempts to trick application and web developers into downloading malware by planting phony tools on sites like GitHub, npm, and others.
The head of a Canadian incident response firm said the ExtensionTotal report describes a “classic” third party supply chain attack that puts a backdoor into an application.
“It’s not a sophisticated attack,” Robert Beggs, CEO of DigitalDefence, said in an interview.
But, he added, there should be multiple layers of defense on a developer’s computer that should prevent compromise: Microsoft Defender, for example, should issue a popup warning that the Windows Registry is about to be changed, or that security defenses are being disabled.
The problem, he said, is that “developers are famous for disabling security controls” and ignoring such warnings. That’s because their focus is making sure the application they’re working on functions as expected.
That’s why CISOs and CIOs should ensure that app developers work on a separate network from the production network, he said.
A Microsoft spokesperson said, “We have removed the extensions, and the publisher was blocked from the VS Marketplace. There’s no action needed from users.”
In an analysis of each malicious tool, ExtensionTotal noted that one tip-off should be that the publisher didn’t verify its listed domain ownership. “Publisher verification is a good practice to ensure the publisher is who they say they are,” said the researchers. “Yet, VSCode publisher verification process is not rigorous enough.”
The 10 malicious extensions and their publishers are:
- Prettier – Code for VSCode (by prettier);
- Discord Rich Presence for VS Code (by Mark H);
- Rojo – Roblox Studio Sync (by evaera);
- Solidity Compiler (by VSCode Developer);
- Claude AI (by Mark H)
- Golong Compiler (by Mark H);
- ChatGPT Agent for VSCode (by Mark H);
- HTML Obfuscator (by Mark H);
- Python Obfuscator for VSCode (by Mark H);
- Rust Compiler for VSCode (by Mark H).
Although the extensions are published under different author names, they share identical code and communicate with the same C2 server to download and execute the same payload, says the report.
What makes initial detection of these malicious extensions difficult for the user is that, after the so-called utility is downloaded, it attempts to install the legitimate extension. That way the user still gets the tool they expected.
The PowerShell script tries to run the malicious payload with administrator permissions, says the report. If it doesn’t have the appropriate permissions, the script tries to create another System32 directory and copy the ComputerDefaults.exe file to it. Then, the script creates its own malicious DLL named MLANG.dll and tries to execute it using the ComputerDefaults executable.
The PowerShell script contains the DLLs and the Trojan executable as basic base64 encoded strings, says the report. It decodes the Trojan and writes it, as Launcher.exe, to the directory it created and excluded from monitoring by Windows Defender.
The Launcher.exe communicates with another C2 server, myaunet[.]su, downloading and executing the XMRig tool, used for mining Monero.
Asked how many malicious extensions get into the VSC Marketplace, ExtensionTotal CTO Idan Dardikman said his firm detects some every month. “The combination of minimal security controls and high exposure makes it an attractive target for threat actors,” he said.
.End users should stick to reputable code publishers, minimize installed extensions and use tools that can analyze extensions before installing them, he said.
Updated with statements from Microsoft and Idan Dardikman.
