Executive Summary

A new malware campaign is actively targeting software developers using a novel information stealer known as Evelyn Stealer. The malware is being distributed via malicious extensions for Microsoft Visual Studio Code, a widely used integrated development environment (IDE). According to research from Trend Micro and Koi Security, the primary goal of Evelyn Stealer is to exfiltrate developer credentials and cryptocurrency-related data from compromised machines. This campaign represents a significant supply chain threat, as developers are high-value targets with privileged access to source code, production systems, and cloud infrastructure. The abuse of the trusted VS Code Marketplace underscores the need for stringent security vetting of all development tools and dependencies.

Threat Overview

The campaign leverages the popularity and extensibility of VS Code to trick developers into installing malicious extensions. Threat actors published at least three extensions to the official marketplace under the publisher name BigBlack. These extensions, named BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme, likely masqueraded as useful tools or themes to lure developers.

Once installed, the malicious extension deploys the Evelyn Stealer payload. This malware is designed to scour the compromised system for sensitive information, with a focus on data valuable to cybercriminals:

• Developer Credentials: API keys, access tokens, SSH keys, and saved passwords.
• Cryptocurrency Data: Private keys and seed phrases for cryptocurrency wallets.
• System Information: Hostnames, user information, and network configuration.

The stolen data is then exfiltrated to an attacker-controlled server. By compromising a developer's workstation, attackers gain a powerful foothold within a target organization, potentially enabling lateral movement, source code theft, or the injection of malicious code into the software supply chain.

Technical Analysis

The attack vector is a software supply chain attack targeting the development environment. The threat actor abuses the trust developers place in the VS Code Marketplace.

Attack Chain:

1. Publication: The attacker develops a malicious VS Code extension containing the Evelyn Stealer payload and publishes it to the official marketplace.
2. Social Engineering: The extension is given an appealing name and description to encourage downloads, a form of T1195.002 - Compromise Software Supply Chain.
3. Installation: A developer discovers and installs the malicious extension, believing it to be a legitimate tool.
4. Execution: Upon installation or activation, the extension executes its malicious code, typically using JavaScript or TypeScript, which runs with the user's permissions. This aligns with T1059.007 - JavaScript.
5. Information Stealing: The malware payload scans the file system, browser data, and configuration files for target data, as seen in T1555 - Credentials from Password Stores.
6. Exfiltration: The collected data is sent to a command-and-control (C2) server.

MITRE ATT&CK Mapping:

• T1195.002 - Compromise Software Supply Chain: The core of the attack involves compromising a component of the software development toolchain (VS Code extensions).
• T1059.007 - JavaScript: VS Code extensions are built with JavaScript/TypeScript, which is used to execute the malicious payload.
• T1555 - Credentials from Password Stores: A primary objective of the malware is to steal credentials.
• T1552.001 - Credentials In Files: The stealer likely searches for credentials stored in configuration files, scripts, and text files.

Impact Assessment

Compromising a developer workstation can have catastrophic consequences for an organization. Potential impacts include:

• Source Code Theft: Loss of valuable intellectual property.
• Further Supply Chain Compromise: The attacker could use the developer's access to inject malicious code into the company's own software products, impacting downstream customers.
• Infrastructure Breach: Stolen credentials can be used to access cloud environments (AWS, Azure, GCP), databases, and production servers.
• Financial Loss: Theft of cryptocurrency or use of stolen credentials to rack up cloud service bills.

IOCs

The following malicious VS Code extensions have been identified as Indicators of Compromise:

Detection & Response

• Audit Installed Extensions: Security teams should immediately audit all installed VS Code extensions across developer workstations. Use command-line tools to list extensions (code --list-extensions) and compare against a list of known malicious and unapproved add-ons.
• Endpoint Detection and Response (EDR): EDR solutions should be configured to monitor for suspicious processes spawned by Code.exe. Look for unexpected network connections, file system scanning behavior, or attempts to access credential stores originating from a VS Code process. This aligns with D3FEND's Process Analysis.
• Network Monitoring: Monitor outbound traffic from developer machines for connections to unknown or suspicious domains, which could indicate data exfiltration.

Mitigation

1. Extension Allowlisting: Implement a strict policy that only allows the installation of vetted and approved VS Code extensions. Use IDE or endpoint management features to enforce this policy, a form of D3FEND's Executable Allowlisting.
2. Developer Education: Train developers on the risks of third-party extensions. Encourage them to scrutinize publishers, review permissions, and check for signs of malicious behavior (e.g., few downloads, no reviews, poor grammar).
3. Principle of Least Privilege: Ensure developers do not use accounts with excessive privileges for daily tasks. Production credentials should not be stored on developer workstations and should be accessed via just-in-time (JIT) systems and secrets vaults.
4. Regular Audits: Periodically audit development environments, including IDE configurations and installed dependencies, to identify any unauthorized or malicious components.