"The executable, for its part, decrypts and injects the main stealer payload into a legitimate Windows process ("grpconv.exe") directly in memory, allowing it to harvest sensitive data and exfiltrate it to a remote server ("server09.mentality[.]cloud") over FTP in the form of a ZIP file. Some of the information collected by the malware includes - Clipboard content Installed apps Cryptocurrency wallets Running processes Desktop screenshots"
"Cybersecurity researchers have disclosed details of a malware campaign that's targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem. "The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems," Trend Micro said in an analysis published Monday."
Evelyn Stealer compromises developer environments by abusing the Visual Studio Code extension ecosystem to deliver an information-stealing payload. Three malicious VS Code extensions (BigBlack.bitcoin-black, BigBlack.codo-ai, BigBlack.mrbigblacktheme) drop a downloader DLL named Lightshot.dll that launches a hidden PowerShell command to fetch a second-stage runtime.exe. The runtime decrypts and injects the main stealer into grpconv.exe in memory, harvesting sensitive data and exfiltrating a ZIP to server09.mentality[.]cloud over FTP. Collected artifacts include clipboard contents, installed apps, cryptocurrency wallets, running processes, screenshots, stored Wi-Fi credentials, system information, and browser credentials and cookies. The malware detects analysis and virtual environments and terminates browser processes to ensure data collection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]