Full Report
The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms. [...]
Analysis Summary
# Tool/Technique: Glassworm (Third Wave)
## Overview
Glassworm is a sophisticated malware campaign that propagates via malicious extensions on developer marketplaces, specifically OpenVSX and the Microsoft Visual Studio Marketplace. The campaign seeks to infect developer environments to steal sensitive data, including GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data linked to 49 specific extensions.
## Technical Details
- Type: Malware family
- Platform: VS Code-compatible editors (via OpenVSX and Microsoft Visual Studio Marketplace extensions)
- Capabilities: Stealing developer credentials/tokens, deploying SOCKS proxy, installing HVNC client, evolution to use Rust-based implants.
- First Seen: October (initial documentation)
## MITRE ATT&CK Mapping
Given the described functionality, the following mappings are relevant, though specific TTPs beyond initial compromise may require deeper analysis of the Rust implants:
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application** (Leverages trust in marketplace/extensions)
- **TA0003 - Persistence**
- **T1547.001 - Registry Run Keys / Startup Folder** (Potential via HVNC/proxy installation)
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (Data theft via established proxy/connection)
- **TA0011 - Command and Control**
- **T1090 - Proxy**
- **T1090.002 - External Proxy** (Deployment of SOCKS proxy to route traffic)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- **T1027.004 - Steganography/Obfuscation** (Use of "invisible Unicode characters" to hide code)
## Functionality
### Core Capabilities
- **Supply Chain Compromise (Via Marketplace):** Uploading malicious packages mimicking popular developer tools (e.g., Flutter, Vim, Tailwind, React Native).
- **Credential Harvesting:** Targeting specific developer platform accounts (GitHub, npm, OpenVSX) and cryptocurrency wallet data derived from 49 targeted extensions.
- **Evasion:** Utilizing "invisible Unicode characters" to conceal malicious code within the extension manifests or files, bypassing static review.
### Advanced Features
- **Persistent Remote Access:** Installing an HVNC (Hidden Virtual Network Computing) client to grant operators stealthy remote access to the victim's system.
- **Traffic Redirection:** Deploying a SOCKS proxy on the victim machine to tunnel malicious network traffic, masking the source of subsequent activities.
- **Implant Evolution:** Progressing from earlier versions to utilize modern, Rust-based implants packaged within the extensions.
- **Social Engineering/Deception:** Artificially inflating download counts and carefully naming malicious packages to appear legitimate and rank highly in search results near legitimate projects.
## Indicators of Compromise
*Note: No specific IPs, hashes, or exact filenames were provided in the text, only package names and associated concepts.*
- File Hashes: [Not provided in article]
- File Names: Implants utilizing Rust-based code (specific names unknown).
- Registry Keys: [Not provided in article]
- Network Indicators: Malicious traffic routed through user-installed SOCKS proxy; C2 communication established via this proxy.
- Behavioral Indicators: Installation of HVNC client; processes attempting to scrape data related to GitHub/npm authentication or cryptocurrency wallets from 49 specific extensions.
## Associated Threat Actors
- Glassworm (Campaign Name)
## Detection Methods
- Signature-based detection: Unknown, as implants are reportedly using Rust and evolving.
- Behavioral detection: Monitoring systems for the installation of HVNC clients or unexpected SOCKS proxy establishment originating from development tools/extensions. Scrutinizing process behavior of newly updated VS Code extensions.
- YARA rules: Developing detection rules for unique strings or structures associated with Rust-based implants if discovered.
## Mitigation Strategies
- **Source Scrutiny:** Only install VS Code extensions from highly trusted sources or maintainers, even when using secondary marketplaces like OpenVSX.
- **Marketplace Review:** Developers and platform owners (OpenVSX/Microsoft) must improve detection mechanisms for invisible character obfuscation and rapid version updates following initial takedowns.
- **Token Rotation:** Regularly rotating access tokens and API keys used by development environments, as practiced by OpenVSX previously.
- **Principle of Least Privilege:** Restricting permissions for extension execution where technically feasible to limit post-compromise impact.
## Related Tools/Techniques
- Supply Chain Attacks targeting developer tooling marketplaces.
- Use of invisible characters for obfuscation (similar to certain document-based malware evasion tactics).
- Use of HVNC tools for persistent remote control.