A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated 35,800 times.
The malware hides its malicious code by using invisible characters. It can also spread itself using stolen account information to infect more extensions the victim can access.
GlassWorm operators use Solana blockchain for command-and-control, making takedown very difficult, with Google Calendar as backup option.
Microsoft Visual Studio and the OpenVSX platforms host extensions and integrations for Visual Studio products and are constant targets of threat actors looking to steal cryptocurrency [1, 2, 3].
Researchers at endpoint security provider Koi found that the current GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors."
Hidden malicious code
Source: Koi Security
Once installed, the malware attempts to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions.
Additionally, GlassWorm deploys a SOCKS proxy to route malicious traffic through the victim’s machine and installs VNC clients (HVNC) for invisible remote access.
The worm has a hardcoded wallet with transactions on the Solana blockchain that provide base64-encoded links for the next-stage payloads. According to the researchers, the final payload is called ZOMBI and is a "massively obfuscated JavaScript" code that turns infected systems into nodes for the cybercriminal activities.
... continue reading