CP
cyberpings
Malware & RansomwareHIGH

Malware Alert - Backdoored Open VSX Extension Discovered

CSCyber Security News
fast-draftBlokTrooperRATinfostealerOpen VSX
🎯

Basically, a trusted software tool was secretly used to install dangerous malware on computers.

Quick Summary

A popular code editor extension was found backdoored, silently installing malware on developer machines. Over 26,000 users are at risk. Immediate action is required to secure affected systems.

How It Works

The fast-draft extension, available on the Open VSX registry, was compromised to deliver malware. Specifically, versions 0.10.89, 0.10.105, 0.10.106, and 0.10.112 contained malicious code. This code allowed the extension to reach out to a GitHub repository controlled by a threat actor named BlokTrooper. Once installed, the extension executed a shell command that downloaded and ran a remote access trojan (RAT) and a full infostealer on the victim's machine.

This malware operates in a stealthy manner, without any visible warnings to users. Once activated, it pulls a ZIP archive containing multiple attack modules, each designed to target different types of sensitive information. This includes browser credentials, cryptocurrency wallet data, and even clipboard contents, all while the user remains unaware of the ongoing attack.

Who's Being Targeted

The attack primarily affects developers who installed the compromised versions of the fast-draft extension. With over 26,594 downloads, the potential impact is significant. Developers often trust their tools, making them prime targets for supply chain attacks. The malware exploits this trust by hiding within a legitimate extension that many developers rely on daily.

The compromised extension's ability to operate across multiple platforms, including Windows, macOS, and Linux, broadens its reach. This means that any developer using the affected versions could be at risk, regardless of their operating system.

Signs of Infection

Detecting this malware can be challenging due to its stealthy nature. However, users may notice unusual behavior on their machines, such as unexpected network activity or system performance issues. If you have installed versions 0.10.89, 0.10.105, 0.10.106, or 0.10.112, you should be particularly vigilant.

The malware's modules work simultaneously, making it capable of executing multiple attacks at once. This includes stealing passwords from browsers like Chrome and Edge, targeting cryptocurrency wallets, and scanning local files for sensitive information. If you suspect infection, immediate action is crucial.

How to Protect Yourself

Developers should take immediate steps to secure their systems. First, uninstall any versions of the fast-draft extension that match the compromised versions. Next, rotate all stored credentials, including passwords and cryptocurrency wallet seed phrases, to mitigate potential damage.

Network teams should also monitor outbound traffic to the command-and-control server at 195.201.104.53 on ports 6931, 6936, and 6939. Flagging any requests to the GitHub repository used by the attacker can help identify further malicious activity. Staying informed about updates and security practices is essential to prevent future attacks.

🔒 Pro insight: The use of a trusted extension for malware delivery highlights the need for rigorous supply chain security assessments.

Original article from

Cyber Security News · Tushar Subhra Dutta

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Google Limits Android Accessibility API Access

Google is tightening access to Android's accessibility API to combat malware abuse. This affects apps not designed for accessibility, reducing risks for users. Enhanced protections aim to safeguard sensitive data from banking Trojans and other malicious software.

Help Net Security·
HIGHMalware & Ransomware

Perseus Malware - New Android Threat Targets User Notes

A new Android malware named Perseus is stealing sensitive information from user notes. It primarily targets financial institutions and crypto services in Turkey and Italy. Users should avoid sideloading apps and ensure their devices are secure.

BleepingComputer·
HIGHMalware & Ransomware

AI in Malware - Analyzing Current Trends and Impacts

Unit 42's latest research reveals how AI is transforming malware. With AI, attackers can create more sophisticated threats, putting users at risk. Stay informed and protected against these evolving dangers.

Palo Alto Unit 42·
HIGHMalware & Ransomware

Malware - EDR Killers Become Standard in Ransomware Attacks

Ransomware attackers are now using EDR killers to disable security software before encrypting files. This trend affects many organizations and highlights the need for improved defenses. As ransomware tactics evolve, proactive monitoring and robust controls are essential to protect against these threats.

Help Net Security·
HIGHMalware & Ransomware

Ransomware - Understanding the Exfiltration Playbook

Attackers are using everyday tools to steal data, complicating detection efforts. This shift poses a significant risk to organizations relying on cloud services. The Exfiltration Framework offers insights to help defenders identify these threats effectively.

Cisco Talos Intelligence·
HIGHMalware & Ransomware

Malware - WaterPlum Unleashes StoatWaffle in Supply Chain Attack

A new malware called StoatWaffle has been deployed by WaterPlum, a North Korea-linked group. This stealthy attack targets developers through compromised VSCode repositories. It poses significant risks by silently stealing sensitive data and providing attackers with remote access. Vigilance and security measures are crucial to combat this threat.

Cyber Security News·