ETHSecurity Community

Researchers from kaspersky Lab have shared the results of their investigation into an incident involving a blockchain developer who fell victim to a scam.

It turned out that a fake extension for the Cursor IDE code editor infected devices with remote access tools and info stealers, which led to the theft of $500,000 in cryptocurrency from the mentioned developer.

The final attack script downloaded a malicious executable from archive[.]org, containing a loader known as VMDetector, which installed Quasar RAT (capable of executing commands on devices) and PureLogs stealer (which steals credentials and authentication cookies from web browsers, as well as cryptocurrency wallet data).

According to Kaspersky Lab, Open VSX showed that the extension was downloaded 54,000 times before it was removed on July 2. However, researchers believe that the number of installations was artificially inflated to give it an appearance of legitimacy.

The day after, the attackers published a nearly identical version called solidity, increasing the installation count of this extension to nearly two million.

The extension was called Solidity Language and was published in the Open VSX registry. It was claimed to be a syntax highlighting tool for working with Ethereum smart contracts.

Despite masquerading as a legitimate Solidity syntax highlighting extension, the plugin actually executed a PowerShell script from a remote host, angelic[.]su, to download additional malicious payloads.

The remote PowerShell script checked if ScreenConnect was already installed, and if not, it launched another script to install it. After that, the attackers gained full remote access to the developer's computer.

Using ScreenConnect, they uploaded and executed VBScript files that were used to download additional payloads onto the device.

Cursor AI IDE is an AI-based development environment built on Microsoft’s Visual Studio Code. It includes support for Open VSX, an alternative to the Visual Studio Marketplace, allowing the installation of VSCode-compatible extensions to enhance the software's functionality.

Notably, the victim's operating system was installed just a few days before the incident. Only the most essential and popular programs were loaded onto the infected device. However, it was reported that no antivirus software was installed, and free online services were used.

After obtaining a disk image of the device and analyzing it, Kaspersky researchers discovered a malicious JavaScript file named extension.js located in the .cursor/extensions directory.