Malicious VS Code Extensions Target Windows Solidity Developers to Steal Login Credentials
Datadog Security Research has uncovered a targeted malware campaign aimed at Solidity developers on Windows systems, using malicious Visual Studio Code (VS Code) extensions as the initial attack vector.
Identified as the work of a single threat actor tracked as MUT-9332, this operation deployed three trojanized extensions solaibot, among-eth, and blankebesxstnion disguised as legitimate tools for Ethereum blockchain smart contract development.
These extensions, which offered features like syntax scanning and vulnerability detection, were published on the official VS Code Marketplace but have since been removed after low download counts (fewer than 50 combined).
Sophisticated Attack Campaign
Despite their removal, the campaign showcases a complex, multi-stage infection chain designed to steal cryptocurrency wallet credentials and establish persistence on victim systems, highlighting the growing risk of supply chain attacks in development environments.
The attack begins with the extensions executing obfuscated JavaScript code that contacts a command and control (C2) server at solidity[.]bot to retrieve malicious payloads via PowerShell scripts.
According to the Report, these scripts, downloaded from URLs like https://solidity[.]bot/a.txt, initiate a convoluted infection process involving multiple intermediate payloads and redundant attack paths to ensure successful deployment.
One path delivers a malicious Chromium-based browser extension (extension.zip) by modifying shortcuts of popular browsers such as Google Chrome and Microsoft Edge to load the malware on startup.
Data Exfiltration Tactics
Another path deploys an executable, myau.exe, through varied techniques, including a payload hidden as Base64-encoded text within an image file hosted on the Internet Archive.
This pseudo-steganographic approach, though not true steganography, demonstrates the threat actor’s creativity in evading detection.
Myau.exe and its subsequent variant, myaunet.exe, disable Windows Defender, manipulate system recovery settings to prevent termination, and exfiltrate sensitive data like Discord tokens and cryptocurrency wallet credentials to servers such as https://m-vn[.]ws/bird.php.
Additionally, connections to domains linked with the Quasar Remote Access Trojan suggest potential for further compromise.
The shared infrastructure with a previous Monero cryptominer campaign reinforces the attribution to MUT-9332, indicating an ongoing and evolving threat as updated C2 domains and payloads were observed post-detection.
This campaign underscores the urgent need for developers to scrutinize extensions before installation, even from trusted marketplaces, and for organizations to enhance endpoint security to detect such sophisticated threats.
Indicators of Compromise (IoC)
| Type | Value | Context |
|---|---|---|
| VS Code Extension | among-eth (v1.0.2) | Malicious extension used in campaign |
| VS Code Extension | blankebesxstnion (v1.0.2) | Malicious extension used in campaign |
| VS Code Extension | solaibot (v1.4.2) | Malicious extension used in campaign |
| URL | solidity[.]bot | Main C2 server for payload delivery and exfiltration |
| URL | https://myaunet[.]su | Payload delivery for Monero cryptominer |
| URL | https://m-vn[.]ws/bird.php | Exfiltration server for victim data |
| File (SHA256) | extension.zip (e0ca66c1a9a68b319b24a7c6b8fdca219dffd802dd4de2d59f602c4d90f40d6c) | Malicious browser extension |
| File (SHA256) | myau.exe (c5c0228a1e0ba2bb748219325f66acf17078a26165b45728d8e98150377aa068) | Malicious executable, disables security measures |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
