Evelyn Stealer Malware Exploits VS Code Extensions to Compromise Developer Credentials and Cryptocurrency
Cybersecurity experts have recently uncovered a sophisticated malware campaign targeting software developers through the Microsoft Visual Studio Code (VS Code) extension ecosystem. Dubbed Evelyn Stealer, this malicious software is engineered to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. The compromised developer environments can serve as gateways into broader organizational systems, posing significant security risks.
Trend Micro’s analysis highlights that the campaign specifically targets organizations with software development teams that utilize VS Code and third-party extensions. These teams often have access to production systems, cloud resources, and digital assets, making them lucrative targets for cybercriminals.
Initial reports of this campaign emerged last month when Koi Security identified three malicious VS Code extensions: BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme. These extensions were found to deploy a malicious downloader DLL named Lightshot.dll. Upon execution, this DLL initiates a concealed PowerShell command to retrieve and execute a secondary payload known as runtime.exe.
The runtime.exe executable decrypts and injects the primary stealer payload directly into a legitimate Windows process, grpconv.exe, operating entirely in memory. This technique allows the malware to harvest a wide array of sensitive data, including:
– Clipboard contents
– List of installed applications
– Cryptocurrency wallet information
– Active running processes
– Desktop screenshots
– Stored Wi-Fi credentials
– Comprehensive system information
– Credentials and stored cookies from browsers like Google Chrome and Microsoft Edge
To ensure uninterrupted data collection, Evelyn Stealer incorporates mechanisms to detect analysis and virtual environments. It also terminates active browser processes to prevent interference during the extraction of cookies and credentials.
The malware employs specific command-line flags to launch browsers in a manner that minimizes detection and forensic traces:
– `–headless=new`: Runs the browser in headless mode
– `–disable-gpu`: Disables GPU acceleration
– `–no-sandbox`: Disables the browser’s security sandbox
– `–disable-extensions`: Prevents legitimate security extensions from interfering
– `–disable-logging`: Disables browser log generation
– `–silent-launch`: Suppresses startup notifications
– `–no-first-run`: Bypasses initial setup dialogs
– `–disable-popup-blocking`: Ensures malicious content can execute
– `–window-position=-10000,-10000`: Positions the window off-screen
– `–window-size=1,1`: Minimizes the window to a 1×1 pixel size
To prevent multiple instances from running simultaneously, the DLL downloader creates a mutual exclusion (mutex) object. This ensures that only one instance of the malware operates at any given time on a compromised host.
The Evelyn Stealer campaign underscores the increasing trend of targeting developer communities, recognizing their pivotal role in the software development ecosystem. By compromising these environments, attackers can gain access to critical systems and data, amplifying the potential damage.
