VSCode Extension Drops Anivia Loader and OctoRAT

MITRE Techniques

• [T1195.002 ] Supply Chain Compromise – Used to publish a malicious VSCode extension that delivered the initial payload ( ‘malicious extension “prettier‑vscode‑plus” appeared on the official Visual Studio Code Marketplace’ )
• [T1059.001 ] PowerShell – Embedded PowerShell performs Base64/AES decryption and executes the decrypted script in memory ( ‘Execute the decrypted script directly in memory using Invoke-Expression’ )
• [T1059.005 ] Visual Basic – Initial dropper is a VBScript that creates COM objects, writes the PowerShell payload to disk, and executes it hidden ( ‘initial infection vector relies on a VBScript dropper that initializes two Windows COM objects’ )
• [T1053.005 ] Scheduled Task – Persistence via Windows Task Scheduler with a task named “WindowsUpdate” scheduled to run every minute ( ‘The scheduled task is named “WindowsUpdate” … execution every single minute’ )
• [T1548.002 ] Bypass UAC – FodHelper UAC bypass implemented by creating ms-settings registry keys to auto-elevate the malware ( ‘creates a registry key at HKCUSoftwareClassesms-settingsShellOpencommand’ )
• [T1055.012 ] Process Hollowing – Loader injects decrypted PE into a legitimate Microsoft-signed binary (vbc.exe) to evade detection ( ‘injects its payload into the legitimate Visual Basic Compiler … vbc.exe’ )
• [T1562.004 ] Disable Windows Firewall – Malware can disable the firewall via netsh to reduce host defenses ( ‘disable_firewall: Uses netsh advfirewall set allprofiles state off’ )
• [T1564.001 ] Hidden Files and Directories – Option to hide malware binary by setting hidden and system attributes ( ‘meltEnabled controls whether the malware hides its executable file by setting hidden and system filesystem attributes’ )
• [T1555.003 ] Credentials from Web Browsers – Targets browser SQLite databases to extract saved passwords, cookies, and autofill data ( ‘targets SQLite databases from all major browsers’ )
• [T1555 ] Credentials from Password Stores – Loads SQLite libraries to access browser-stored credentials and other password stores ( ‘SQLite loading is strategically important: modern web browsers store sensitive user data in SQLite databases’ )
• [T1082 ] System Information Discovery – Collects host reconnaissance data in a JSON packet ( ‘transmits a JSON-formatted reconnaissance packet containing: computer hostname, current username, Windows version’ )
• [T1057 ] Process Discovery – Implements commands to list and manage running processes ( ‘get_processesList all running processes’ )
• [T1083 ] File and Directory Discovery – Enumerates directories and wallet application folders for data theft ( ‘list_dirList directory contents’ )
• [T1056.001 ] Keylogging – Supports keystroke capture via start_keylogger ( ‘start_keyloggerBegin keystroke capture’ )
• [T1115 ] Clipboard Data – Monitors and exfiltrates clipboard contents ( ‘start_clipboard_monitorBegin clipboard monitoring’ )
• [T1113 ] Screen Capture – Remote desktop streaming and screenshot capture ( ‘start_desktopBegin screen capture streaming’ )
• [T1071 ] Application Layer Protocol – JSON over HTTP(s) used for C2 reconnaissance and command exchange ( ‘transmits a JSON-formatted reconnaissance packet’ )
• [T1041 ] Exfiltration Over C2 Channel – Stolen browser/wallet data is uploaded to attacker-controlled servers over the C2 channel ( ‘Immediately after extraction, the malware uploads this data to the attacker’s server’ )