An unidentified threat actor has been discovered executing an extensive, sophisticated cryptojacking campaign by using a series of malicious extensions in Visual Studio Code, the lightweight source-code editor developed by Microsoft, as reported by a group of security researchers.
According to details shared exclusively with Infosecurity, a team of cybersecurity experts from ExtensionTotal, a newly established cybersecurity startup, found that a total of nine extensions recently uploaded to the VS Code marketplace were identified as malicious.
These malevolent extensions were all uploaded after April 4 by three different authors, with one author, known as ‘Mark H,’ being the main perpetrator. Within just three days, over 300,000 installations were recorded. The most popular extension, ‘Discord Rich Presence,’ accrued 189,000 installs alone.
Itay Kruk, co-founder of ExtensionTotal and a former product manager at Zscaler, stated that these extensions are impostor VS Code extensions, and all nine are part of the same malicious campaign. They act as initial access points in a well-planned multi-stage cryptomining campaign.
Alarmingly, these malicious extensions remain active at the time of writing.
The nefarious activities were orchestrated through the deployment of seven malicious extensions by ‘Mark H.’ These extensions include ‘Discord Rich Presence for VS Code,’ ‘Claude AI,’ ‘Golang Compiler,’ ‘Rust Compiler for VSCode,’ ‘ChatGPT Agent for VSCode,’ ‘HTNL Obfuscator for VSCode,’ and ‘Python Obfuscator for VSCode.’
Another extension, ‘Rojo – Roblox Studio Sync,’ was uploaded by ‘evaera’ and garnered 117,000 downloads. The final extension, ‘Solidity Compiler,’ was published by VSCode Developer and has acquired 1300 installs.
Yuval Ronen, Security Researcher at ExtensionTotal and author of the report, noted that the rapid escalation in installation counts indicates potential artificial inflation to boost credibility and allay user suspicion.
Kruk emphasized that the exploitation of trust metrics in the extension ecosystem by inflating install counts is a significant vulnerability being exploited by attackers.
Upon installation, all nine extensions clandestinely download and execute a PowerShell script that disables Windows security, establishes persistence through scheduled tasks, and installs an XMRig cryptominer from a remote command-and-control (C2) server.
XMRig is a widely-used cryptocurrency mining software utilized for mining Monero (XMR) and other cryptocurrencies employing the RandomX or Cryptonight algorithms. It has become a popular tool among malicious actors for covertly mining cryptocurrency on compromised devices without the consent of the device owners.
Kruk disclosed to Infosecurity that the attackers devised a sophisticated multi-stage attack, even installing the legitimate extensions they were impersonating to evade detection while running cryptocurrency mining operations in the background. Each malicious extension contains identical malicious code, connects with the same C2 server, and downloads the same malicious payload, suggesting a common origin.
The C2 domain ‘asdf11[.]xyz’ was created on April 4, the same day the first set of extensions were released. Although ExtensionTotal routinely detects malicious extensions in the VSCode marketplace, Kruk acknowledged that this particular scheme stands out for its sophistication and impact.
The researchers from ExtensionTotal promptly reported the findings on the malicious extensions to Microsoft and detailed their discoveries in a blog post.
Despite reaching out to Microsoft for comment, Infosecurity had not received a response from the tech giant by the time of publication.
In the current landscape of cybersecurity threats, this incident serves as a stark reminder of the evolving tactics employed by threat actors to compromise systems and exploit vulnerabilities for their illicit gains. The diligent efforts of security researchers in uncovering and reporting such malicious campaigns are crucial in safeguarding digital ecosystems and mitigating potential risks posed by such malicious activities.