Threat actors are increasingly weaponizing Visual Studio Code, a popular development tool, by exploiting its extension ecosystem to deploy multistage malware. A recent campaign, identified as Evelyn Stealer, leverages a malicious extension to deliver stealthy information stealing capabilities directly to developer workstations. This development is particularly concerning as developers often possess privileged access to sensitive systems and data, making them high-value targets for cybercriminals.
The Evelyn Stealer attack chain begins with the installation of a seemingly innocuous or useful Visual Studio Code extension. Once installed, the malware initiates a complex, multi-stage infection process. This sophisticated approach aims to evade detection by embedding malicious actions within seemingly legitimate software components and processes, a tactic that highlights the evolving sophistication of cyber threats targeting software development environments.
Evelyn Stealer: A New Threat Exploiting Visual Studio Code Extensions
Researchers have uncovered a new campaign where malicious actors are weaponizing Visual Studio Code to deploy a sophisticated multistage malware. The campaign, dubbed Evelyn Stealer, utilizes a compromised extension to infiltrate developer workstations, aiming to steal a wide range of sensitive information. Trend Micro analysts have detailed how this attack chain exploits the trust developers place in the Visual Studio Code marketplace and its vast extension library.
Instead of targeting general end-users, Evelyn Stealer specifically targets developers. This strategic choice is driven by the fact that developers often hold critical access credentials, including source code repositories, cloud consoles, and cryptocurrency assets. By compromising a developer’s machine, attackers can gain a significant foothold into an organization or individual’s digital infrastructure, potentially leading to widespread data breaches.
The initial infection vector involves a trojanized Visual Studio Code extension. This extension, designed to appear legitimate, silently drops a fake Lightshot.dll file. This malicious component is then loaded by the legitimate Lightshot.exe screenshot utility, a common tool used by many developers. This clever misdirection allows the malware to execute its subsequent stages under the guise of normal user activity.
The Multistage Infection Chain Unveiled
The multi-stage infection process is a key feature of the Evelyn Stealer campaign. According to Trend Micro’s analysis, the attack chain unfolds in several carefully orchestrated steps. Once the fake Lightshot.dll is loaded, it triggers a hidden PowerShell command. This command is responsible for downloading a second-stage payload, identified as “iknowyou.model,” from a remote domain. This downloaded file is then saved locally as “runtime.exe” and executed.
The “runtime.exe” payload further escalates the compromise. It establishes an “Evelyn” folder within the %AppData% directory and proceeds to inject the “abe_decrypt.dll” module into popular web browsers such as Microsoft Edge and Google Chrome. This injection allows the malware to access and exfiltrate sensitive data directly from the compromised browsers.
Following the browser compromise, Evelyn Stealer prepares to exfiltrate the stolen data. It collects a comprehensive set of sensitive information, including browser passwords and cookies, cryptocurrency wallet details, active messaging sessions, VPN profiles, and saved Wi-Fi credentials. Additionally, it captures screenshots of the compromised system and gathers detailed system information. All this gathered data is then compressed into a single archive file.
The final stage of the attack involves exfiltration of the compiled data. The malware uploads the compressed archive to an attacker-controlled FTP server. This method of data exfiltration is a common tactic, allowing attackers to receive large volumes of stolen data discreetly. For organizations, a single compromised developer laptop can have devastating consequences, exposing proprietary source code, cloud access tokens, and production environment credentials.
The weaponization of Visual Studio Code extensions highlights a growing trend in cyberattacks. Attackers are actively seeking to exploit developer tools and workflows to gain access to high-value targets. The trust placed in official extension marketplaces makes these attacks particularly insidious, as developers may not exercise the same level of caution when installing tools they believe are vetted and safe.
This ongoing threat underscores the critical importance of robust security practices within software development lifecycles. Organizations need to implement stringent vetting processes for all third-party extensions and plugins used within their development environments. Regular security audits, employee training on cybersecurity best practices, and the use of advanced endpoint detection and response (EDR) solutions are crucial steps in mitigating the risks associated with such sophisticated attacks.
Looking ahead, it is expected that threat actors will continue to explore novel ways to exploit trusted development tools. Vigilance and proactive security measures will be paramount for developers and organizations to stay ahead of these evolving threats and protect their valuable digital assets.