Cybersecurity researchers have disclosed details of a malware campaign that’s targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem.
“The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems,” Trend Micro said in an analysis published Monday.
The activity is designed to single out organizations with software development teams that rely on VS Code and third-party extensions, along with those with access to production systems, cloud resources, or digital assets, it added.
It’s worth noting that details of the campaign were first documented by Koi Security last month, when details emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme – that ultimately dropped a malicious downloader DLL (“Lightshot.dll”) responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload (“runtime.exe”).
The executable, for its part, decrypts and injects the main stealer payload into a legitimate Windows process (“grpconv.exe”) directly in memory, allowing it to harvest sensitive data and exfiltrate it to a remote server (“server09.mentality[.]cloud”) over FTP in the form of a ZIP file. Some of the information collected by the malware includes –
- Clipboard content
- Installed apps
- Cryptocurrency wallets
- Running processes
- Desktop screenshots
- Stored Wi-Fi credentials
- System information
- Credentials and stored cookies from Google Chrome and Microsoft Edge
In addition, it implements safeguards to detect analysis and virtual environments and takes steps to terminate active browser processes to ensure a seamless data collection process and prevent any potential interference when attempting to extract cookies and credentials.
This is achieved by launching the browser via the command line by setting the following flags for detection and forensic traces –
- –headless=new, to run in headless mode
- –disable-gpu, to prevent GPU acceleration
- –no-sandbox, to disable browser security sandbox
- –disable-extensions, to prevent legitimate security extensions from interfering
- –disable-logging, to disable browser log generation
- –silent-launch, to suppress startup notifications
- –no-first-run, to bypass initial setup dialogs
- –disable-popup-blocking, to ensure malicious content can execute
- –window-position=-10000,-10000, to position the window off-screen
- –window-size=1,1, to minimize window to 1×1 pixel
“The [DLL] downloader creates a mutual exclusion (mutex) object to ensure that only one instance of the malware can run at any given time, ensuring that multiple instances of the malware cannot be executed on a compromised host,” Trend Micro…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
