Full Report
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. [...]
Analysis Summary
# Tool/Technique: Malicious VSCode Extensions (Cryptominer Droppers)
## Overview
This concerns an attack campaign utilizing malicious Visual Studio Code (VSCode) extensions to infect Windows systems with Monero cryptocurrency miners (XMRig). These extensions function as droppers, deceiving users by impersonating legitimate extensions while deploying multi-stage payloads for persistence, defense evasion, and ultimately cryptomining.
## Technical Details
- Type: Malware Family (Dropper, Cryptominer Loader)
- Platform: Windows
- Capabilities: Initial malware execution, defense evasion (disabling updates, Defender exclusions), privilege escalation via DLL hijacking, deployment and execution of XMRig cryptominer.
- First Seen: Not specified in detail, related to a recent discovery.
## MITRE ATT&CK Mapping
Mapping derived from the described actions:
- **TA0001 - Initial Access**
- T1588.001 - Obtain Capabilities: Software (Implied via initial distribution point/mechanism like VSCode marketplace)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- Scheduled task created named "OnedriveStartup"
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses
- Disabling Windows Update and Update Medic services.
- Adding malware working directory to Windows Defender exclusions.
- T1036.005 - Masquerading: Match Legitimate Name or Location (Mimicking computer binary "ComputerDefaults.exe")
- **TA0004 - Privilege Escalation**
- T1574.001 - DLL Search Order Hijacking (Hijacking MLANG.dll to execute Launcher.exe with elevated privileges)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Downloading payloads via HTTP/S)
- **TA0018 - Impact**
- T1496 - Resource Hijacking (Cryptomining via XMRig)
## Functionality
### Core Capabilities
- Downloading and executing a remote PowerShell script upon extension activation.
- Establishing persistence via a Scheduled Task ("OnedriveStartup").
- Adding exclusions to Windows Defender settings.
- Impersonating a system binary ("ComputerDefaults.exe") to facilitate further execution.
### Advanced Features
- **Privilege Escalation via DLL Hijacking:** If executed without admin rights, the dropper uses a malicious `MLANG.dll` alongside the mimicked process (`ComputerDefaults.exe`) to escalate privileges and execute the `Launcher.exe` payload.
- **Multi-Stage Payload Delivery:** The initial PowerShell script decodes and executes a base64-encoded binary (`Launcher.exe`) which then downloads the ultimate payload, the XMRig cryptominer.
- **Impersonation:** After installation, the module installs the legitimate extension it was impersonating to avoid immediate user suspicion.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: `Launcher.exe`, `MLANG.dll`
- Registry Keys: Injection into Windows Registry for startup execution (Specific key path not detailed).
- Network Indicators:
- Primary script download: `hxxps://asdf11[.]xyz/`
- Secondary payload download (XMRig via Launcher.exe): `myaunet[.]su`
- Behavioral Indicators:
- Creation of scheduled task named "OnedriveStartup".
- Modification of Windows Update/Update Medic services.
- Execution of PowerShell script fetching content from external URLs.
## Associated Threat Actors
- The specific named threat actor group is **not identified** in the provided text, only that it is a campaign exploiting VSCode extensions.
## Detection Methods
- Signature-based detection: Potentially detectable by signatures targeting the XMRig executable or specific strings/hashes within the PowerShell script.
- Behavioral detection: Monitoring for anomalous process creation, scheduled task modification referencing OneDrive, and network connections to the listed C2 domains.
- YARA rules: Could be developed based on the base64 encoded content of `Launcher.exe` or unique PowerShell commands used.
## Mitigation Strategies
- Prevention measures: Strict auditing and sanitization of installed VSCode extensions, especially those from less-known publishers.
- Hardening recommendations: Ensure standard user accounts are used where possible to limit the impact of privilege escalation attempts. Regularly audit Windows Defender exclusions and scheduled tasks.
## Related Tools/Techniques
- Cryptominer: XMRig (Monero cryptocurrency miner)
- Delivery Mechanism: Malicious VSCode Extensions
- Related Action: DLL Hijacking for Privilege Escalation