Cybersecurity researchers have discovered two malicious extensions in the Visual Studio Code (VSCODE) marketplace, designed to deploy ransomware that is being developed to users.
The extensions named “ahban.shiba” and “ahban.cychhelloworld” were then defeated by market maintainers.
For each ReversingLabs, the extension incorporates code designed to invoke PowerShell commands, grabs and executes the PowerShell-Script payload from the Command and Control (C2) server.
The payload is suspected of being ransomware in early stage development, and only encrypts files in a folder called “Testshiba” on the victim’s Windows desktop.
Once the files are encrypted, a message will appear in the PowerShell payload and say, “The files are encrypted. Pay Shiva Wallet to 1 Shiva Coin and recover them.”
However, no other instructions or cryptocurrency wallet addresses have been provided to the victim. This indicates that malware is likely under development by threat actors.
The development comes months after the software supply chain security company flagged some malicious extensions. Some malicious extensions spoofed Zoom, but they had the ability to download unknown second stage payloads from remote servers.
Last week, Socket detailed a malicious Maven package that impersonated the Scribejava-Core Oauth library, which secretly harvests and removes OAuth qualifications on the 15th day of each month, highlighting a time-based triggering mechanism designed to avoid detection.
The library was uploaded to Maven Central on January 25th, 2024. It continues to be available for download from the repository.
“The attackers used typecutting. They tricked the developer into creating almost identical names to add malicious packages,” says security researcher Kush Pandya. “Interestingly, this malicious package has six dependent packages.”
“They are all type-scooting legal packages, but instead of the actual namespace (com.github.scribejava) they share the same GroupID (io.github.leetcrunch).”
In adopting this approach, the idea is to increase the perceived legitimacy of malicious libraries and increase the likelihood that developers will download and use in their projects.
Source link
