Evelyn Stealer Malware Abuses VS Code Extensions
These articles are AI-generated summaries. Please check the original sources for full details.
Evelyn Stealer Malware Abuses VS Code Extensions
A new information stealer, Evelyn Stealer, is targeting software developers by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem. The malware campaign leverages malicious VS Code extensions to steal developer credentials, browser data, and cryptocurrency wallets on Windows systems.
Why This Matters
Current threat models often assume developers are security-aware, but this campaign demonstrates a shift towards directly targeting them as a high-value attack vector. Compromised developer environments can provide access to critical organizational systems and intellectual property, leading to potentially catastrophic breaches, with estimated costs of data breaches reaching $4.45 million on average in 2023.
Key Insights
- VS Code Extension Abuse: Evelyn Stealer utilizes legitimate extension distribution channels for malicious purposes.
- Process Injection: The malware injects its payload into a legitimate Windows process (grpconv.exe) to evade detection.
- Browser Automation: Evelyn Stealer uses command-line flags to automate browser actions, disabling security features and suppressing notifications for silent data exfiltration.
Working Example
# Example command-line flags used by Evelyn Stealer to launch Chrome
chrome.exe --headless=new --disable-gpu --no-sandbox --disable-extensions --disable-logging --silent-launch --no-first-run --disable-popup-blocking --window-position=-10000,-10000 --window-size=1,1Practical Applications
- Use Case: Targeted attacks against software companies to steal source code and intellectual property.
- Pitfall: Relying solely on static analysis of VS Code extensions; dynamic analysis is crucial to detect malicious behavior.
References:
Continue reading
Next article
Get anomaly detection in your application metrics in a single click!
Related Content
GlassWorm Malware: Solana Dead Drops and Browser Data Theft via Rogue Extensions
GlassWorm exploits Solana blockchain memos and Google Calendar to deliver data-stealing RATs targeting developers via compromised npm and MCP packages.
VVS Stealer Malware Targets Discord Accounts with Python Obfuscation
VVS Stealer, a Python-based malware sold for as little as $11.69, steals Discord tokens, browser data, and credentials using Pyarmor obfuscation.
JackFix Campaign Leverages Fake Windows Updates to Deploy Multiple Stealers
The JackFix campaign utilizes deceptive fake Windows update pop-ups on adult websites to deliver multi-stage PowerShell malware, resulting in potential data theft and system compromise.