Cybersecurity researchers have revealed details of a malware campaign that targets software developers with a new information theft tool called Evelyn Stealer, armed with the Microsoft Visual Studio Code (VS Code) extension ecosystem.
“This malware is designed to exfiltrate sensitive information such as developer credentials and cryptocurrency-related data. A compromised developer environment can also be exploited as an access point to broader organizational systems,” Trend Micro said in an analysis published on Monday.
The effort aims to single out organizations with software development teams that rely on VS Code and third-party extensions, as well as those with access to production systems, cloud resources, or digital assets, it added.
Notably, details of the campaign were first documented by Koi Security last month, when details of three VS Code extensions were revealed: BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme. The extension ultimately dropped a malicious downloader DLL (‘Lightshot.dll’) that launched a hidden PowerShell command to fetch and execute the second stage payload (‘runtime.exe’).
This executable is able to decrypt and inject the main stealer payload directly into a legitimate Windows process (‘grpconv.exe’) in memory and collect and exfiltrate sensitive data to a remote server (‘server09.mentality’).[.]cloud”) via FTP in the form of a ZIP file. Information collected by the malware includes:
Clipboard contents Installed apps Cryptocurrency wallets Running processes Desktop screenshots Saved Wi-Fi credentials System information Credentials and saved cookies from Google Chrome and Microsoft Edge
Additionally, we implement safeguards to detect analytical and virtual environments and take steps to terminate active browser processes to ensure a seamless data collection process and prevent potential interference when attempting to extract cookies or credentials.
This is achieved by setting the following flags for detection and forensic tracing and launching the browser via command line:
–headless=new, run in headless mode –disable-gpu, prevent GPU acceleration –no-sandbox, disable browser security sandbox –disable-extensions, prevent interference from legitimate security extensions –disable-logging, disable browser log generation –silent-launch, suppress launch notifications –no-first-run, bypass initial configuration dialog –disable-popup-blocking, allow malicious content to run –window-position=-10000,-10000, position window off-screen –window-size=1,1, minimize window to 1×1 pixels
” [DLL] “The downloader creates a mutually exclusive (mutex) object to ensure that only one instance of the malware is running at any given time and prevents multiple instances of the malware from running on a compromised host. The Evelyn Stealer campaign reflects the operationalization of attacks against the developer community, which is considered a high-value target given its important role in the software development ecosystem,” Trend Micro said.
This disclosure coincides with the emergence of two new Python-based stealer malware families called MonetaStealer and SolyxImmortal, the former of which also has the ability to target Apple macOS systems and enable comprehensive data theft.
”[SolyxImmortal] It leverages legitimate system APIs and widely available third-party libraries to extract and leak sensitive user data to attacker-controlled Discord webhooks,” CYFIRMA said.
“Its design emphasizes stealth, reliability, and long-term access rather than rapid execution or destructive behavior. The malware operates entirely in user space and relies on a trusted platform for command and control, reducing the likelihood of immediate detection while maintaining persistent visibility into user activity.
Source link
