This threat involves a malicious Visual Studio Code extension named 'prettier-vscode-plus' that was uploaded to the official VSCode Marketplace, masquerading as the legitimate Prettier code formatter. Once installed by developers, the extension acts as the initial infection vector for a sophisticated multi-stage malware chain. The first stage is the Anivia loader, which decrypts subsequent payloads in memory using AES encryption, avoiding disk artifacts and detection by traditional antivirus solutions. Anivia employs process hollowing to inject malicious code into legitimate processes and uses User Account Control (UAC) bypass techniques to escalate privileges without user consent. The final payload deployed is OctoRAT, a comprehensive remote access toolkit capable of executing over 70 commands, including surveillance (keylogging, screenshots), file theft, remote desktop control, persistence mechanisms, privilege escalation, and harassment functionalities. The attacker maintains operational security by rotating payloads hosted on a GitHub repository, complicating detection and response efforts. This attack exemplifies a supply-chain compromise targeting developer tools, leveraging the trust developers place in official marketplaces to infiltrate development environments and potentially compromise software supply chains downstream. The use of advanced evasion techniques and the breadth of OctoRAT’s capabilities make this a significant threat to organizations relying on VSCode for software development.

European organizations, especially those with active software development teams using Visual Studio Code, face substantial risks from this threat. Compromise of developer workstations can lead to theft of intellectual property, source code, and sensitive credentials. The presence of OctoRAT enables attackers to conduct extensive surveillance, exfiltrate data, and maintain persistent access, potentially leading to broader network compromise. Privilege escalation and UAC bypass increase the likelihood of attackers gaining administrative control, which can facilitate lateral movement and deployment of additional malware. The supply-chain nature of the attack means that compromised developer environments could inadvertently introduce malicious code into production software, impacting customers and partners. This can result in reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The multi-stage and evasive techniques complicate detection and remediation, increasing dwell time and potential damage. Organizations involved in critical infrastructure, software development, or sensitive data processing are particularly vulnerable to espionage, sabotage, or ransomware follow-on attacks stemming from this initial compromise.

1. Enforce strict controls on VSCode extension installations by restricting to a vetted whitelist and disabling automatic extension installation where possible. 2. Implement endpoint detection and response (EDR) solutions capable of detecting process hollowing, UAC bypass attempts, and anomalous in-memory execution patterns. 3. Monitor network traffic for connections to known malicious IPs (e.g., 158.94.210.52, 158.94.210.76, 178.16.55.109) and hashes associated with the malware stages. 4. Educate developers on risks of installing unverified extensions and encourage use of official, verified extensions only. 5. Employ application control policies to restrict execution of unauthorized binaries and scripts, especially those exhibiting suspicious behaviors. 6. Regularly audit developer machines for persistence mechanisms and unusual privilege escalations. 7. Use multi-factor authentication and credential vaulting to protect sensitive accounts and secrets that could be targeted by OctoRAT. 8. Integrate supply-chain security tools that scan dependencies and development environments for malicious code. 9. Establish incident response playbooks tailored to developer environment compromises. 10. Collaborate with VSCode Marketplace and security communities to report and remove malicious extensions promptly.