Weaponized VS Code Impersonate Zoom App Steals Cookies From Chrome

A newly identified extension for Visual Studio Code (VS Code) has been found to impersonate a legitimate Zoom application, enabling cybercriminals to steal sensitive cookies from Google Chrome.

This incident marks a significant escalation in the tactics employed by malicious actors to exploit trusted software ecosystems.

The Discovery

The nefarious extension, uploaded to the VS Code Marketplace on November 30, 2024, has raised serious concerns about the security of VS Code extensions and the broader implications for software development environments.

According to the Hunt report, Researchers from ReversingLabs first identified a series of malicious extensions in December. However, further analysis revealed a separate and sophisticated instance masquerading as the Zoom Workspace tool.

This extension gained users’ trust by mimicking a legitimate application and contained code targeting Chrome’s cookie storage.

The extension’s uploader cleverly included a link to the official GitHub repository for the Zoom Meeting SDK, further enhancing its credibility.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Unfortunately, this tactic highlights a growing trend where cyber criminals use trusted platforms and resources to spread malware.

The extension went through a phased release; early versions did not feature the malicious code, but subsequent updates introduced functionality designed to harvest cookies directly from users’ systems.

The Technical Breakdown

Upon examination, researchers discovered that the extension, distributed in the VSIX format, contained critical files such as extension.js and extension-web.js. These files were responsible for the extension’s installation and functionality.

A crucial finding was a hardcoded .env file that contained access keys to various online services, indicating a severe security lapse.

Cookie Extraction Mechanism

The malicious code, embedded in extension-web.js, was specifically designed to access Chrome’s cookie database.

It established a method to asynchronously fetch data from a suspicious external endpoint (api.storagehb.cn), believed to be linked to malicious command and control operations.

const d1 = 'https://api.storagehb.cn/d?v=1.3';

The extension constructed a file path targeting Chrome’s cookies, executed SQL queries, and silently collected cookie data without user awareness.

This capability enables attackers to access users’ sessions on various online platforms, potentially leading to account hijacking and data breaches.

The emergence of such weaponized extensions raises significant concerns for developers who rely on the VS Code Marketplace for enhancement tools.

The inclusion of malicious code in what appears to be benign applications underscores the necessity for vigilance when integrating third-party extensions.

1. Scrutinize Extensions: Users are advised to thoroughly check the number of installs and reviews before adding any extension to their development environments. Low install counts may indicate untrustworthiness.
2. Monitor Updates: Regularly reviewing the version history of installed extensions can help users spot unexpected changes or updates that may signal malicious intent.
3. Security Tools: Incorporating additional security tools and practices, such as browser security extensions and real-time monitoring for unusual behavior, can bolster protection against such threats.
4. Educate Teams: For development teams, ongoing training about the risks associated with IDE extensions and best practices for maintaining secure development environments is essential.

The weaponization of VS Code extensions illustrates a growing threat landscape where trusted software environments are targeted for malicious activities.

As cyber threats continue to evolve, developers and users must remain vigilant, prioritizing security and productivity in their workflows.

As this incident demonstrates, even the most innocuous tools can harbor significant risks, and proactive measures are paramount in safeguarding sensitive data.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar