CyberSecurity news
FlagThis - #cryptominer
|
@blog.extensiontotal.com
//
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.
The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion. This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.
Share:
References :
Classification:
Sunny Yadav@eSecurity Planet
//
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.
The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats.
Share:
References :
Classification:
@cyberalerts.io
//
The Splunk Threat Research Team has revealed a widespread cyber campaign specifically targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IP addresses were explicitly targeted. This mass exploitation campaign involves the deployment of information stealers and crypto miners on compromised systems.
The attack leverages brute-force tactics to exploit weak credentials, gaining initial access to the targeted networks. Once inside, the attackers deploy cryptomining and info-stealing malware. This campaign is believed to have originated from Eastern Europe, highlighting the global nature of cyber threats and the importance of robust security measures for critical infrastructure providers.
Share:
References :
Classification:
|