Malicious VS Code Extensions Deploy Advanced Infostealer: A Deep Dive
A recent discovery by cybersecurity researchers has shed light on a sophisticated cyber threat targeting Visual Studio Code (VS Code) users. The threat involves two malicious extensions, Bitcoin Black and Codo AI, which have been found to steal sensitive information from unsuspecting developers.
These extensions, available on the VS Code marketplace, employ a cunning strategy by combining social engineering and technical disguise. Bitcoin Black, disguised as a cryptocurrency-themed color scheme, and Codo AI, offering a functional coding assistant with ChatGPT and DeepSeek integration, both execute hidden scripts that download a payload. This payload uses a bundled version of the Lightshot screenshot tool paired with a malicious DLL, enabling the infostealer to operate stealthily.
The Koi Security research team's report reveals a concerning trend. Bitcoin Black, despite its seemingly harmless theme, utilizes activation events and PowerShell execution techniques uncommon in legitimate themes. Codo AI takes it a step further by providing genuine coding features, allowing the attacker to avoid suspicion during installation and use. As the extensions evolved, the attackers refined their approach. Version 2.5.0 relied on a complex PowerShell routine to download a password-protected ZIP archive, employing fallback methods for extraction. By version 3.3.0, the delivery chain was streamlined, switching to a hidden batch script that fetched an executable and DLL directly over HTTP, preventing repeated execution through a marker file.
The infostealer's capabilities are extensive, collecting clipboard contents, installed programs, running processes, desktop screenshots, stored WiFi credentials, and browser session data. One of the key techniques used is DLL hijacking, where the legitimate Lightshot executable is paired with the attacker's DLL, allowing the malware to run under the guise of a trusted binary.
Koi Security identified command-and-control (C2) domains designed to receive exfiltrated data and a unique mutex name to prevent simultaneous execution. The researchers attributed both extensions to the same threat actor, who is experimenting with different lures. This discovery highlights the evolving nature of cyber threats and the importance of developer tool security. As developers, it is crucial to remain vigilant and cautious when installing extensions, as even seemingly harmless themes or AI tools can have hidden malicious intent. The attack surface for developer tools is expanding, and attackers are becoming more sophisticated, making it essential to stay informed and protect sensitive information.
