FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign

iocOne
Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign
A sophisticated cryptomining campaign targeting developers was conducted through malicious Visual Studio Code extensions, with over one million installations across several fake tools. These extensions, designed to appear legitimate, download PowerShell scripts that disable Windows security features and install an XMRig cryptominer. The attackers used a multistage attack strategy, even impersonating genuine extensions to avoid detection. Affected: Developers, Software Ecosystem, Visual Studio Code extensions

Keypoints :

  • Malicious VS Code extensions published by three authors after April 4th.
  • Over one million total installs of the fake extensions.
  • The most popular fake extension, “Discord Rich Presence,” had 189K installs.
  • The extensions download a PowerShell script that disables Windows security and installs XMRig cryptocurrency miner.
  • Attackers impersonated legitimate extensions to avoid raising suspicion.
  • The C2 server used in the attack is asdf11[.]xyz.
  • Persistent mechanisms involve scheduled tasks masquerading as legitimate services.
  • Defense evasion techniques include disabling Windows security services and registry modifications.
  • Malicious payload includes base64 encoded Trojan and DLL files.
  • Campaign highlights risks in the software supply chain for developer ecosystems.

MITRE Techniques :

  • T1071.001: Application Layer Protocol: Web Protocols – Used to communicate with C2 servers via HTTP.
  • T1059.001: Command and Scripting Interpreter: Windows Commands – PowerShell scripts executed to download malicious components.
  • T1543.003: Create or Modify System Process: Windows Service – Creating scheduled tasks for persistence.
  • T1086: PowerShell – Execution of PowerShell scripts for payload installation and Windows security evasion.
  • T1112: Modify Registry – Modifying registry settings to evade detection.
  • T1497: Virtualization/Sandbox Evasion – Using legitimate extensions to act unnoticed as a mining operation.

Indicator of Compromise :

  • [File Hash] 2d17f0cb6c8d9488f2d101b90052692049b0c4bd9bf4949758aae7b1fd936191 (Launcher.exe)
  • [File Hash] d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1 (xmrig.exe)
  • [File Hash] bb757c6338491170072e8b743ea2758eebaeb1472ba6b421c950c79a3daed853 (PowerShell)
  • [C2 Domain] asdf11[.]xyz
  • [C2 Domain] myaunet[.]su

Full Story: https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59?source=rss——infosec-5

Views: 23

Tags: DEFENSE EVASION, INITIAL ACCESS, TOOL, PERSISTENCE, PAYLOAD, PRIVILEGE, WINDOWS, TROJAN