Darcula (Fake Dracula Theme) – Malware

Overview

In the recent discovery of a security vulnerability within the Visual Studio Code (VSCode) Marketplace, three key players emerge: Darcula, the deceptive malware; Dracula Official, the legitimate and popular theme; and Amit Assaraf, one of the researchers behind the investigation.

Darcula is a cunning imposter, a malicious extension masquerading as the well-loved Dracula Official theme. By subtly altering its name, Darcula lured unsuspecting developers into its trap, gathering sensitive system information and relaying it to a remote server, all while avoiding detection by traditional security tools.

Dracula Official represents the trusted and widely-used dark mode theme that developers rely on for its visual appeal and functionality. Unfortunately, it became the unintended victim of a typosquatting attack, with its reputation exploited to spread malicious code.

Amit Assaraf, alongside his fellow researchers, is the vigilant investigator who orchestrated this experiment. By creating Darcula and exposing its capabilities, Assaraf shed light on the vulnerabilities within the VSCode Marketplace, highlighting the ease with which malicious actors can infiltrate even trusted environments. His work underscores the critical need for stronger security measures to protect the developer community from similar threats.

Targets

Developers using VSCode as their primary text editor

How they operate

At the core of Darcula Official is a script that silently collects system information and source code whenever a document is opened within the VSCode editor. This script is cleverly embedded within the extension’s legitimate code, ensuring that it blends seamlessly with the expected functionality of the theme. The malware gathers details such as the device’s hostname, domain name, operating system, and a list of installed extensions. It then sends this information, along with any opened source code files, to a remote command and control (C2) server via an HTTPS POST request, making the exfiltration difficult to detect.

The stealthy nature of the Darcula Official malware is further enhanced by its ability to evade traditional endpoint detection and response (EDR) systems. VSCode, being a development environment, is inherently trusted by many security tools, which often treat its operations with leniency. This trust allows the malware to operate under the radar, as EDR systems struggle to differentiate between legitimate developer activities and the malicious actions initiated by the extension. As a result, the malware can continue its operations unchecked, leaking potentially critical source code and system details to its operators.

The success of Darcula Official in infiltrating high-profile targets, including multi-billion dollar companies and national institutions, highlights the significant risks posed by malicious VSCode extensions. The researchers’ experiment revealed that the extension was quickly adopted by over 100 organizations within a single day, demonstrating how easily threat actors could replicate such an attack on a larger scale.

MITRE Tactics and Techniques

Initial Access (T1078 – Valid Accounts): The malware gains initial access by masquerading as a legitimate and popular extension, tricking users into installing it. This tactic is associated with obtaining unauthorized access to systems through compromised or falsely acquired credentials, in this case, by impersonating a trusted software tool.

Execution (T1059 – Command and Scripting Interpreter): Once installed, the malicious extension executes additional scripts or commands. The extension’s risky code could execute commands or scripts that collect system information and establish communication with a remote server.

Persistence (T1547 – Boot or Logon Autostart Execution): The extension remains active in the VSCode environment, ensuring its persistence on the compromised systems by leveraging the legitimate functionality of VSCode, which routinely executes commands and reads files as part of its normal operations.

Defense Evasion (T1562 – Impair Defenses): The malware evades detection by traditional endpoint detection and response (EDR) tools. It blends in with legitimate VSCode activities, making it difficult for security tools to distinguish between normal and malicious behavior.

Credential Access (T1552 – Unsecured Credentials): The extension could potentially be used to access and steal authentication tokens or other sensitive credentials from the developer’s environment.

Discovery (T1082 – System Information Discovery): The extension collects system information, including hostname, installed extensions, device domain name, and operating system platform, to better understand the environment it has infiltrated.

Collection (T1113 – Screen Capture): The extension might be capable of collecting specific data from the system, such as capturing screenshots or other information from the development environment.

Command and Control (T1071 – Application Layer Protocol): The malware establishes communication with a remote server via HTTPS POST requests, sending the collected system information to a command-and-control server, enabling remote monitoring or further malicious actions.

References:

• Uncovering Design Flaws of Visual Studio Code Extensions