Fake 'ClawdBot Agent' Extension in Visual Studio Code Marketplace Deployed RAT Malware

Executive Summary

A malicious extension named ClawdBot Agent was discovered and removed from the official Visual Studio Code Marketplace after it was found to be surreptitiously installing a Remote Access Tool (RAT) on developers' machines. The extension impersonated a popular open-source AI coding assistant, OpenClaw, to appear legitimate. In a sophisticated supply chain attack, the fully functional extension would silently deploy a weaponized version of ConnectWise ScreenConnect, a legitimate remote access tool, giving attackers complete control over the compromised developer's computer. The incident underscores the increasing trend of attackers targeting the developer ecosystem by poisoning trusted software repositories.

Threat Overview

This attack is a prime example of a trojanized application delivered through a trusted channel. By hiding malware inside a functional and desirable tool, attackers lower the guard of their victims. The target here is particularly high-value: software developers, whose machines often contain access keys, source code, and credentials for sensitive corporate infrastructure.

Attack Chain

1. Distribution (T1195.002 - Compromise Software Supply Chain): The attacker published the malicious 'ClawdBot Agent' extension to the official VS Code Marketplace.
2. Social Engineering: The extension was named and branded to impersonate a legitimate and popular AI tool, tricking developers into installing it.
3. Execution (T1137.006 - Office Application Startup: Add-ins): The malicious code was designed to trigger automatically as soon as the user launched VS Code after installation. No further interaction was needed.
4. C2 Communication & Payload Staging: The extension first fetched a remote configuration file from an attacker-controlled server. This file contained instructions for the next stage.
5. Payload Deployment (T1105 - Ingress Tool Transfer): The extension then downloaded and installed a weaponized version of ConnectWise ScreenConnect.
6. Remote Access: With ScreenConnect installed, the attackers gained full, stealthy remote control over the developer's machine, allowing for keylogging, file theft, and lateral movement.

Sophistication and Evasion

• Functional Trojan: The AI assistant features of the extension actually worked, which made it difficult for users to suspect anything was wrong.
• Backup Loader: The attackers had a backup plan. A secondary loader, written in Rust, was capable of fetching the same payload from Dropbox, disguised as a Zoom update, providing redundancy for their attack.

Impact Assessment

The compromise of a developer's machine can be a catastrophic event for an organization.

• Source Code Theft: Attackers can steal proprietary source code, algorithms, and intellectual property.
• Credential Compromise: Developer machines often contain API keys, SSH keys, and passwords for cloud services, databases, and production servers.
• Downstream Supply Chain Attack: An attacker with control of a developer's machine could inject malicious code into the company's own software, creating a much larger supply chain attack that affects the company's customers.
• Reconnaissance and Lateral Movement: The compromised machine serves as a perfect beachhead for attackers to study the internal network and plan their next move.

Detection & Response

D3FEND Techniques: Process Analysis (D3-PA), Network Traffic Analysis (D3-NTA)

1. Audit VS Code Extensions: Security teams should regularly audit the extensions installed by developers. Any extension that is not well-known, has few downloads, or a suspicious publisher should be investigated.
2. Monitor for Unexpected Processes: The VS Code process (code.exe) should not be spawning installers for tools like ScreenConnect or making connections to Dropbox to download 'Zoom updates'. Monitor for such anomalous process chains.
3. Network Monitoring: Look for unexpected outbound connections from developer workstations, especially to known remote access services like ScreenConnect, if they are not officially used by the organization.

Mitigation

D3FEND Techniques: Executable Denylisting (D3-EDL), User Training

1. Vet Extensions: Establish a policy for vetting and approving VS Code extensions before they can be installed. Maintain an internal allowlist of approved extensions.
2. Developer Education: Train developers to be cautious when installing new tools, even from official marketplaces. Teach them to check the publisher, the number of downloads, reviews, and the requested permissions before installing an extension.
3. Principle of Least Privilege: Ensure developers do not use accounts with local administrator privileges for their daily work. This can prevent malware from installing system-wide software like ScreenConnect.
4. Application Control: Use application control solutions to prevent the execution of unauthorized software, including remote access tools that are not on the corporate allowlist.