In a technical analysis published Monday, Trend Micro said a new information stealer named Evelyn Stealer is targeting software developers by abusing Microsoft Visual Studio Code extensions and exfiltrating developer credentials and cryptocurrency data to an FTP server.
KEY FACTS
- Incident Malware delivered through malicious VS Code extensions
- Payload Downloader DLL then second stage executable injected into a legitimate process
- Data stolen Credentials, cookies, crypto wallets, screenshots, Wi-Fi and system information
- Exfiltration Files sent as ZIP over FTP to server09.mentality.cloud
Three Visual Studio Code extensions dropped a downloader DLL named Lightshot.dll which launched a hidden PowerShell command to fetch and execute a second stage executable called runtime.exe.
The runtime executable decrypts and injects the main stealer into the legitimate Windows process grpconv.exe in memory and harvests clipboard content, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, system details, and credentials and cookies from Google Chrome and Microsoft Edge.
The malware includes checks for analysis and virtual environments and it terminates active browser processes to avoid interference when extracting cookies and credentials. It launches browsers with command line flags such as –headless=new, –disable-gpu, –no-sandbox, –disable-extensions and sets the window off screen to conceal activity.
The downloader creates a mutex to prevent multiple instances from running. The activity is aimed at organizations with software development teams that use VS Code and third party extensions and at systems that host production, cloud resources, or digital assets. The number of affected organizations was not disclosed.
WHY IT MATTERS
Compromised developer workstations can provide attackers with credentials and access that lead to broader organizational systems and digital assets. Organizations that use VS Code and third party extensions should review installed extensions and monitor for unusual FTP exfiltration activity.