DuckSoft DuckSoft

Analysis of Malware VSCode Extension "Solidity for Ethereum"

Intro

The analyzed plugin can be download here. By the time the article is composed, it has a total of 1,484,752 installs, as is shown in extension profile page, which, I highly suspect that most of them are forged.

Analysis

Download and extract the VSIX Package:

├── [Content_Types].xml

Basic

NaiveProxy URIs should be standard URIs, not something using JSON and Base64 encoding, etc.
https / quic schemes shouldn't be used directly, since they can be confusing with the real protocols.

Rules

schema := naive+https | naive+quic
username, password := basic auth info. when there's no auth, omit both.
host := target host
port can be omitted if it's 443, or specify it explicitly
queries:

Code

import java.util.*
import javax.crypto.Cipher
import javax.crypto.SecretKey

fun ByteArray.encryptDES(key: SecretKey): ByteArray? = try {
    Cipher.getInstance("DES")?.run {
        init(Cipher.ENCRYPT_MODE, key)
        doFinal(this@encryptDES)

Code

@Suppress("SpellCheckingInspection")
fun ByteArray.toHexStringLCase(): String = "0123456789abcdef".let { hexChars ->
    StringBuilder(this.size * 2).also { s ->
        this.forEach { byte ->
            byte.toInt().also { int ->
                s.append(hexChars[int shr 4 and 0x0f])
                s.append(hexChars[int and 0x0f])
 }

Keybase proof

I hereby claim:

I am ducksoft on github.
I am ducksoft (https://keybase.io/ducksoft) on keybase.
I have a public key ASDKXBzN0NLcOX3-P-G7UHs1QCbPBD_JkLtRrjJw72ECEgo

To claim this, I am signing this object:

	#!/bin/bash
	sudo apt remove azure-cli -y
	sudo sed -i 's/stretch/buster/g;s/main$/main contrib non-free/g' /etc/apt/sources.list
	sudo rm -rf /etc/apt/preferences.d/*
	sudo apt update && sudo bash -c "yes '' \| env DEBIAN_FRONTEND=noninteractive apt full-upgrade -y"
	sudo env DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential devscripts reprepro debhelper ninja-build libgrpc++-dev libprotobuf-dev protobuf-compiler-grpc qtbase5-dev qttools5-dev cmake pkg-config qtdeclarative5-dev libcurl4-openssl-dev libqt5svg5-dev
	/usr/bin/git submodule update --init --recursive
	dpkg-buildpackage -us -uc -i -b

	// Licensed under WTFPL

	package main

	import (
	"bytes"
	"crypto/rand"
	"crypto/rsa"
	"crypto/tls"
	"crypto/x509"

	package main

	import (
	"log"
	"math/rand"
	"time"
	)

	type GossipMessage struct {
	FromNodeIdx int

	import re
	import requests
	import json
	from requests_html import BaseSession

	airport_html_url_provider = (f"http://airport.anseo.cn/c-china__page-{i}" for i in range(1, 10))
	airport_html_content_provider = (requests.get(url).content.decode() for url in airport_html_url_provider)
	airport_html_transformer = re.compile(r'<tr>[\w\W]+?_blank">([\w\W]+?)</a>[\w\W]+?href="(.+?)" title="(.+?)"[\w\W]+?span title="IATA CODE:(.?)"[\w\W]+?span title="ICAO CODE:(.?)"')
	airport_name_impurities = re.compile(r'\s*\|<br />')
	airport_name_purifier = lambda x: airport_name_impurities.sub('', x.strip())

	#!/bin/bash
	sudo pip install pip -U
	sudo pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple