Cyber: Evelyn Stealer Malware Abuses Vs Code Extensions To Steal Developer...
Cybersecurity researchers have disclosed details of a malware campaign that's targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem.
"The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems," Trend Micro said in an analysis published Monday.
The activity is designed to single out organizations with software development teams that rely on VS Code and third-party extensions, along with those with access to production systems, cloud resources, or digital assets, it added.
It's worth noting that details of the campaign were first documented by Koi Security last month, when details emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme – that ultimately dropped a malicious downloader DLL ("Lightshot.dll") responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload ("runtime.exe").
The executable, for its part, decrypts and injects the main stealer payload into a legitimate Windows process ("grpconv.exe") directly in memory, allowing it to harvest sensitive data and exfiltrate it to a remote server ("server09.mentality[.]cloud") over FTP in the form of a ZIP file. Some of the information collected by the malware includes -
This is achieved by launching the browser via the command line by setting the following flags for detection and forensic traces -
"The [DLL] downloader creates a mutual exclusion (mutex) object to ensure that only one instance of the malware can run at any given time, ensuring that multiple instances of the malware cannot be executed on a compromised host," Trend Micro said. "The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem."
The disclosure coincides with the emergence of two new Python-based stealer malware families referred to as MonetaStealer and SolyxImmortal, with the former also capable of targeting Apple macOS systems to enable comprehensive data theft.
"[SolyxImmortal] leverages legitimate system APIs and widely available third-party libraries to extract sensitive user data and exfiltrate it to attacker-con
Source: The Hacker News
