Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Lorenz Lehmann Profile picture
Lorenz Lehmann
@LehmannLorenz
Research Lead @growthepie_eth🥧📏 Founder of @RWTHBlockchain

Oct 2, 12 tweets

Today, my PC was nearly compromised.

With just one click, I installed a malicious @code extension. Luckily, I was saved as my PC doesn't run on Windows.

Hackers are getting smarter and aren't just targeting beginners. Here's how they do it and how you can protect your coins!

1/ Want to program in Solidity? A handy VS Code extension for formatting your code sounds perfect. You find the most popular package and click install...

... And just like that, you're compromised!

2/ But how did they do it?

🔴 The first red flag: the developer behind this extension is unverified, yet it managed to get 1.7M downloads (more than any other) and a perfect 5/5 star rating—all within a day of going live.

3/ After downloading the malicious extension and extracting its contents, everything appears normal — except for an obfuscated "extension.js" file that runs upon installation.

4/ After running it through a de-obfuscator (shoutout to @magicking_ & @bantg), we can see that "extension.js" secretly downloads a 5MB file named "1.cmb" from a Russian server and executes it.

5/ Unfortunately, "1.cmb" is also deliberately obfuscated, making it much harder to understand what's really going on.

6/ However, with a quick Python script, we can reformat the code and insert echo log commands to track which actions are being executed. Next, we run it on a virtual machine (VM)

7/ The log file shows that the script eventually errors, but we can see how it operates:
- attack relies on PowerShell for execution
- it runs entirely in memory, leaving no trace on the disk — difficult for anti-malware software to detect. a.k.a fileless malware attack.
...

8/
- script reads information from other files using "[.File]::ReadAllText," which also causes the error.
- uses PowerShell’s ability to dynamically create objects and invoke methods at runtime.
...System.IO

9/
- there's some form of AES encryption in place to conceal the true payload.
- we can even extract the base64-encoded AES keys and IVs (/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ= and VZVM+EzOQl4yXpCtgZwmdA==)

10/ To get more info, I also ran it though @HybridAnalysis. Apparently the script even detects VMs to hide from being reverse engineered! Advanced stuff we are dealing with here.

11/ full report can be found here:

thanks for surfacing this @SageyTrading

Stay safe my friens! 🙏hybrid-analysis.com/sample/e96f8f6…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling