VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware
Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that’s under development to its users.
The extensions, named “ahban.shiba” and “ahban.cychelloworld,” have since been taken down by the marketplace maintainers.
Both the extensions, per ReversingLabs, incorporate code that’s designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it.
The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called “testShiba” on the victim’s Windows desktop.
Once the files are encrypted, the PowerShell payload displays a message, stating “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them.”
However, no other instructions or cryptocurrency wallet addresses are provided to the victims, another indication that the malware is likely under development by the threat actors.
The development comes a couple of months after the software supply chain security firm flagged several malicious extensions, some of which masqueraded as Zoom, but harbored functionality to download an unknown second-stage payload from a remote server.
Last week, Socket detailed a malicious Maven package impersonating the scribejava-core OAuth library that secretly harvests and exfiltrates OAuth credentials on the fifteenth day of each month, highlighting a time-based trigger mechanism that’s designed to evade detection.
The library was uploaded to Maven Central on January 25, 2024. It continues to be available for download from the repository.
“Attackers used typosquatting — creating a nearly identical name to trick developers into adding the malicious package,” security researcher Kush Pandya said. “Interestingly, this malicious package has six dependent packages.”
“All of them are typosquatting legitimate packages but share the same groupId (io.github.leetcrunch) instead of the real namespace (com.github.scribejava).”
In adopting this approach, the idea is to boost the malicious library’s perceived legitimacy, thereby increasing the chances that a developer would download and use it in their projects.
