- Reversing Labs and Assaraf discover campaign targeting software and web3 devs
- Multiple packages were hiding weaponized code that deploys stage-two malware
- The malicious intent was very difficult to spot
Software developers, especially those working on web3 and cryptocurrency projects, are being targeted in a brand new software supply chain attack, experts have claimed.
Security researcher Amit Assaraf published a new blog post outlining how he had observed dozens of malicious Visual Studio Code extensions on the VSCode marketplace designed to download well-hidden second-stage payloads from shady domains (some in Russia).
A similar report was recently published by cybersecurity researchers Reversing Labs, who said that the campaign most likely started in October 2024.
Heavily obfuscated files
“Throughout October 2024, the RL research team saw a new wave of malicious VSCode extensions containing downloader functionality — all part of the same campaign,” the researchers said. “The community was first notified of this campaign taking place in early October, and since then, the team has been steadfast in tracking it.”
The packages are designed for tools like Zoom, Solidity (a programming language for smart contracts on Ethereum, among others), and more. Similar packages were found on NPM, as well.
While both Reversing Labs and Assaraf did not analyze the second-stage payload, BleepingComputer says it is a “heavily obfuscated Windows CMD file” that launches a hidden PowerShell command. Its goal is to decrypt AES-encrypted strings in additional CMD files, to drop further payloads, including malware that gets flagged by just 27 out of 71 antivirus engines.
While the number of compromised endpoints is difficult to determine, Assaraf says it’s most likely in the thousands. He added that the attack was very difficult to spot, since the packages check all the right boxes:
“Looking closely, you can see it has several great indicators for it being real, the high number of installs, the official Zoom Github repo, the positive reviews. Going into the publisher page we continue to get positive reinforcements,” he said. “The domain name looks great, it has the official support email, it has all the official socials, everything checks out.”
The only thing developers can do is exert care when downloading software packages. “Don’t trust – verify” is the usual mantra, especially within the cryptocurrency community.
Via BleepingComputer