“Malicious ‘Glassworm’ Malware Distributes Through Compromised VS Code Extensions”
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Brief Overview
- Glassworm malware has compromised a number of VS Code plugins.
- The infection employs invisible Unicode characters to avoid detection.
- More than 10,700 downloads compromised on the OpenVSX marketplace.
- Malware functions via the Solana blockchain for command and control.
- Attackers exploit alternative channels such as Google Calendar.
- Ongoing threat with existing infrastructure and payload server.
- Developers urged to review plugins and update credentials.
Grasping the Glassworm Malware Intrusion
The Glassworm malware has surfaced as a considerable risk, targeting Microsoft Visual Studio Code plugins. Identified by Koi Security, this advanced worm utilizes invisible Unicode characters to embed harmful code, eluding both human oversight and detection tools. As of October 17, it had penetrated seven plugins on the OpenVSX marketplace, resulting in over 10,700 downloads.
How Glassworm Avoids Detection
By employing Unicode variation selectors, Glassworm’s code stays hidden from static scanners and human reviewers, resulting in developers unknowingly disseminating the malware. This stealthy method has outmaneuvered even GitHub’s diff view and syntax highlighting features.
Communication Using Blockchain
Glassworm utilizes the Solana blockchain for its command and control (C2) setup. It interprets base64-encoded data in blockchain memos to discover new payloads. The unchangeable nature of blockchain transactions creates an “unkillable infrastructure,” permitting attackers to refresh commands without concern of being removed.
Backup Channels and Payload Distribution
In addition to blockchain, Glassworm employs direct IP addresses and Google Calendar events as secondary channels. Malware traffic masquerading as legitimate Calendar events circumvents conventional security protocols. The Solana-connected server delivers an AES-encrypted payload, with decryption keys transmitted via HTTP headers, complicating interception efforts.
Propagation and Secondary Component: ZOMBI
The worm actively pursues credentials from npm, GitHub, OpenVSX, and cryptocurrency wallets to extend its reach. Glassworm’s secondary component, ZOMBI, transforms infected systems into proxy nodes, utilizing SOCKS proxies and WebRTC to evade firewalls. It also employs HVNC for discreet remote desktop access.
Ongoing Threat and Suggestions
Koi Security confirms that Glassworm’s infrastructure is still active, with operational payload servers and continuous data exfiltration. Developers are recommended to scrutinize their plugins and change any compromised credentials. Affected plugins include CodeJoy, l-igh-t.vscode-theme-seti-folder, among others.
Conclusion
The Glassworm malware intrusion underscores vulnerabilities within software supply chains, taking advantage of the invisibility of Unicode characters to conceal its existence. With an indestructible command infrastructure and advanced evasion tactics, Glassworm continues to pose a significant threat to developers globally.