Ransomware test balloon discovered in the Visual Studio Code marketplace
Two extensions that encrypt files and issue a ransomware message were undetected in the official Visual Studio Code marketplace.
(Image: Gorodenkoff/Shutterstock.com)
ReversingLabs, a company specializing in software supply chain security, has discovered two extensions with malicious code in the official Visual Studio Code marketplace. Apparently, the extensions were able to bypass Microsoft's automatic security checks.
Videos by heise
Both were found in the marketplace for some time, but have only been downloaded in the single-digit range. The extensions originate from ahban and are called shiba and cychelloworld.
(Image:Â ReversingLabs)
Test balloon for ransomware attack via Visual Studio Code?
The malicious extensions first check whether they are running under Windows and execute a PowerShell command there, which loads and executes a PowerShell script with the actual malicious code from a command-and-control server (C2).
A look at the malicious code suggests that it is a test balloon for a real ransomware attack. The code only encrypts files in a special subdirectory for test purposes: C:\users\%username%\Desktop\testShiba.
(Image:Â Der Schadcode verschlĂĽsselt nur Dateien in einem speziellen Testverzeichnis auf dem Desktop und zeigt anschlieĂźend eine Ransomware-Meldung.)
The script then issues a typical ransomware warning: "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them."
No acute danger, but proof of concept
The extensions that have now been removed from the marketplace are not a concrete threat due to their purely test function and the low number of downloads. However, they show that it is possible to circumvent the security mechanisms of Microsoft's VS Code Marketplace for real attacks.
Further details, including the code that accesses the C2 server, can be found in the Bluesky skeets from ReversingLabs.
(rme)
