Malicious VS Code Extension ‘Prettier-VSCode-Plus’ Deploys Anivia Loader and OctoRAT
In a recent supply chain attack, a counterfeit Visual Studio Code (VS Code) extension named ‘prettier-vscode-plus’ has been identified as a vehicle for deploying the Anivia Loader and OctoRAT malware. This malicious extension masqueraded as the legitimate Prettier code formatter, aiming to deceive developers into installation.
Discovery and Deployment Mechanism
The ‘prettier-vscode-plus’ extension was briefly available on the official VS Code Marketplace before its removal. Once installed, it initiated a sequence of actions designed to compromise the developer’s system:
1. Fetching Malicious Scripts: The extension downloaded obfuscated VBScript files from a GitHub repository named ‘vscode’ under the account ‘biwwwwwwwwwww’.
2. Execution of VBScript Dropper: These scripts acted as initial-stage droppers, creating and executing PowerShell loaders with execution policy bypasses, all while concealing their activities from the user.
3. Deployment of Anivia Loader and OctoRAT: The PowerShell loaders decrypted and executed the Anivia Loader, which subsequently deployed OctoRAT—a remote access tool capable of executing code, stealing data from browsers and cryptocurrency wallets, and providing remote desktop control.
Technical Breakdown of the Infection Chain
The attack’s sophistication lies in its multi-stage infection chain:
– VBScript Dropper: This script generates a random PowerShell file in the system’s temporary directory, embedding a Base64-encoded AES payload.
– PowerShell Loader: Upon execution, it decrypts the payload using AES-256 in CBC mode and runs it directly in memory.
– Anivia Loader: This component stores its encrypted payload in a byte array, decrypts it with a hard-coded key, and injects the resulting executable into the legitimate ‘vbc.exe’ process through process hollowing—a technique that helps evade detection by security software.
– OctoRAT Deployment: Once active, OctoRAT establishes persistence by creating scheduled tasks and opens an encrypted command channel to communicate with the attacker’s control servers.
Implications for Developers
Although the ‘prettier-vscode-plus’ extension had limited installations, the targeted nature of the attack poses significant risks. Developers often have access to sensitive source code and production environments, making them high-value targets for cybercriminals.
Recommendations for Mitigation
To safeguard against such threats, developers and organizations should consider the following measures:
1. Verify Extension Authenticity: Before installing any extension, confirm its legitimacy by checking the publisher’s credentials, reading user reviews, and ensuring it originates from a trusted source.
2. Monitor System Behavior: Be vigilant for unusual system activities, such as unexpected script executions or unauthorized network communications, which may indicate a compromise.
3. Implement Security Controls: Utilize endpoint detection and response (EDR) solutions to identify and mitigate malicious activities promptly.
4. Regularly Update Software: Keep all development tools and security software up to date to benefit from the latest security patches and features.
5. Educate Development Teams: Provide training on recognizing social engineering tactics and the importance of cybersecurity hygiene to prevent inadvertent installations of malicious software.
Conclusion
The emergence of malicious extensions like ‘prettier-vscode-plus’ underscores the evolving tactics of threat actors targeting the software development supply chain. By remaining vigilant and implementing robust security practices, developers can protect their environments from such sophisticated attacks.
