A pretend extension for the Cursor AI IDE code editor contaminated units with distant entry instruments and infostealers, which, in a single case, led to the theft of $500,000 in cryptocurrency from a Russian crypto developer.
Cursor AI IDE is an AI-powered improvement surroundings based mostly on Microsoft’s Visible Studio Code. It consists of assist for Open VSX, a substitute for the Visible Studio Market, that means that you can set up VSCode-compatible extensions to increase the software program’s performance.
Kaspersky stories that they had been known as in to analyze a safety incident the place a Russian developer working in cryptocurrency reported that $500,00 in crypto was stolen from his pc. The machine had no antivirus software program put in, however it was mentioned to be clear.
Georgy Kucherin, a safety researcher for Kaspersky, obtained a picture of the system’s onerous drive, and after analyzing it, found a malicious JavaScript file named extension.js situated within the .cursor/extensions listing.
The extension was named “Solidity Language” and was revealed on the Open VSX registry, claiming to be a syntax highlighting instrument for working with Ethereum sensible contracts
Though the plugin impersonated the respectable Solidity syntax highlighting extension, it truly executed a PowerShell script from a distant host at angelic[.]su to obtain extra malicious payloads.
Supply: Kaspersky
The distant PowerShell script checked if the distant administration instrument ScreenConnect was already put in, and if not, executed one other script to put in it.
As soon as ScreenConnect was put in, the risk actors gained full distant entry to the developer’s pc. Utilizing ScreenConnect, the risk actor uploaded and executed VBScript recordsdata that had been used to obtain extra payloads to the system.
The ultimate script within the assault downloaded a malicious executable from archive[.]org that contained a loader often known as VMDetector, which put in:
- Quasar RAT: A distant entry trojan able to executing instructions on units.
- PureLogs stealer: An infostealing malware that steals credentials and authentication cookies from net browsers, in addition to stealing cryptocurrency wallets.
In accordance with Kaspersky, Open VSX confirmed that the extension had been downloaded 54,000 occasions earlier than it was eliminated on July 2. Nevertheless, the researchers imagine that this set up rely was artificially inflated to offer it a way of legitimacy.
A day later, the attackers revealed an nearly similar model beneath the identify “solidity,” inflating the set up rely for this extension to almost two million.
Supply: Kaspersky
Kaspersky says the risk actors had been in a position to rank their extension larger than the respectable one in Open VSX search outcomes by gaming the algorithm and thru the inflated set up rely. This induced the sufferer to put in the malicious extension, considering it was the respectable one.
The researchers discovered related extensions revealed to Microsoft’s Visible Studio Code market named “solaibot”, “among-eth”, and “blankebesxstnion,” which additionally executed a PowerShell script to put in ScreenConnect and infostealers.
Kaspersky warns that builders ought to be cautious of downloading packages and extensions from open repositories as they’ve develop into a standard supply of malware infections.
“Malicious packages proceed to pose a big risk to the crypto trade. Many tasks right this moment depend on open-source instruments downloaded from package deal repositories,” concludes Kaspersky.
“Sadly, packages from these repositories are sometimes a supply of malware infections. Due to this fact, we suggest excessive warning when downloading any instruments. All the time confirm that the package deal you are downloading is not a pretend.”
“If a package deal would not work as marketed after you put in it, be suspicious and examine the downloaded supply code.”
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent risk actors.
