Prettier Code for VSCode (by prettier);Discord Rich Presence for VS Code (by Mark H);Rojo Roblox Studio Sync (by evaera);Solidity Compiler (by VSCode Developer);Claude AI (by Mark H)Golong Compiler (by Mark H);ChatGPT Agent for VSCode (by Mark H);HTML Obfuscator (by Mark H);Python Obfuscator for VSCode (by Mark H);Rust Compiler for VSCode (by Mark H).Although the extensions are published under different author names, they share identical code and communicate with the same C2 server to download and execute the same payload, says the report.What makes initial detection of these malicious extensions difficult for the user is that, after the so-called utility is downloaded, it attempts to install the legitimate extension. That way the user still gets the tool they expected.The PowerShell script tries to run the malicious payload with administrator permissions, says the report. If it doesn’t have the appropriate permissions, the script tries to create another System32 directory and copy the ComputerDefaults.exe file to it. Then, the script creates its own malicious DLL named MLANG.dll and tries to execute it using the ComputerDefaults executable.The PowerShell script contains the DLLs and the Trojan executable as basic base64 encoded strings, says the report. It decodes the Trojan and writes it, as Launcher.exe, to the directory it created and excluded from monitoring by Windows Defender.The Launcher.exe communicates with another C2 server, myaunet[.]su, downloading and executing the XMRig tool, used for mining Monero.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3956464/warning-to-developers-stay-away-from-these-10-vscode-extensions.html
