@trailofbits/vsix-audit 0.1.3 → 0.2.1

package/zoo/iocs/hashes.txt

@@ -40,6 +40,12 @@ bb68992f6aa2d3f316322e88d9e71491a38e95fd3a27f48084c66b9c210bd17d  # GlassWorm -
 68e5fb92a7d7d182306a025010c77ae2cd89c39031cced13f9686a9f34671041  # GlassWorm - f_ex86.node.decoded (Rust DLL, pre-decryption)
 a9a6a03bd6958710aeacc2a23860a7f7f0d09497fef85fe658ac5406734061f8  # GlassWorm - priskinski.theme-allhallowseve-remake-1.0.0.vsix (ReversingLabs Dec2025)
 
+# SnowShoNo Campaign (ScreenConnect MSI)
+290027e4e32cf4983ccaa9811b3090c7397a3711d23e426ab144bec1167c456b  # SnowShoNo - ScreenConnect MSI installer payload
+
+# Pokemon/Cryptominer Campaign (Oct 2025)
+f92824508a829846cebd427a073336be7b298b13691e28bde0e8c667fb0db436  # PokemonMiner - Monero miner executable (45/70 VT detections)
+
 # Zoo samples (GitHub sources)
 2cdaee2863396e558f17503ad290163d513acbc3c2ca2dbfa6852c2e064ca9f1  # SnowShoNo - PowerShell downloader (obfuscated)
 6674b3505ac23b2354230d691b9e18c2dda74a66f76bb0df724286cb9b23581c  # ECM3401 - Extension Attack Suite .vsix

package/zoo/iocs/wallets.txt

@@ -11,8 +11,5 @@
 # GlassWorm Campaign - Solana Blockchain C2
 SOL BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC  # GlassWorm - Primary C2 wallet (transaction memos contain commands)
 
-# Add wallet addresses here as they are discovered
-# Format examples:
-# BTC 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa  # Campaign - Description
-# ETH 0x742d35Cc6634C0532925a3b844Bc9e7595f8fE42  # Campaign - Description
-# SOL ADDRESS  # Campaign - Description
+# SleepyDuck Campaign - Ethereum Smart Contract C2
+ETH 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465  # SleepyDuck - Ethereum contract storing C2 server address

package/zoo/signatures/yara/blockchain_c2_extended.yar

@@ -0,0 +1,57 @@
+/*
+    Extended Blockchain C2 Detection
+    Detects Ethereum smart contract interaction patterns used
+    for command-and-control, extending the Solana-focused
+    blockchain_c2.yar rules.
+
+    SleepyDuck campaign uses Ethereum contracts to store C2
+    server addresses, queried via ethers.js/web3.js ABI calls.
+    The contract stores the current C2 URL which the malware
+    reads to get instructions, then executes the result.
+
+    Target: JavaScript files (no `wide` needed)
+*/
+
+rule C2_JS_Ethereum_Contract_C2_Feb26 {
+  meta:
+    description = "Detects Ethereum contract queries combined with dynamic code execution (SleepyDuck C2 pattern)"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/can-you-trust-your-vscode-extensions"
+
+  strings:
+    // Ethereum library imports
+    $lib1 = "ethers" ascii
+    $lib2 = "@ethersproject" ascii
+
+    // Contract interaction
+    $contract1 = "new Contract(" ascii
+    $contract2 = "getContract(" ascii
+
+    // RPC provider connection
+    $rpc1 = "JsonRpcProvider" ascii
+    $rpc2 = "InfuraProvider" ascii
+    $rpc3 = "AlchemyProvider" ascii
+    $rpc4 = "Web3Provider" ascii
+
+    // Dynamic code execution — the C2 signal
+    // child_process and new Function("return this") are too
+    // common in bundled Ethereum dev tools (webpack polyfills,
+    // compiler toolchains). Only eval() is a strong C2 signal
+    // when combined with contract interaction.
+    $exec1 = "eval(" ascii
+
+  condition:
+    any of ($lib*) and
+    any of ($contract*) and
+    any of ($rpc*) and
+    $exec1
+}
+
+// REMOVED: C2_JS_Blockchain_Address_Resolution_Feb26
+// 87 FPs across 440-extension corpus. The getter patterns
+// (.getServer, .getConfig, .getAddress) combined with
+// Provider() + fetch() + child_process were far too generic —
+// matched virtually any large bundled extension.

package/zoo/signatures/yara/native_addon_loader.yar

@@ -0,0 +1,71 @@
+/*
+    Suspicious Native Addon Loading Detection
+    Detects platform-conditional loading of .node native addons,
+    a pattern used by GlassWorm Wave 3 to load Rust implants
+    (darwin.node, os.node) that establish persistence.
+
+    Legitimate native addons exist (e.g., node-sass, sharp) but
+    they load via npm packages, not inline require with
+    platform checks and custom-named .node files.
+
+    Target: JavaScript files (no `wide` needed)
+*/
+
+rule SUSP_NativeAddon_Platform_Loader_Feb26 {
+  meta:
+    description = "Detects platform-conditional loading of .node native addons, a pattern used by GlassWorm for Rust implant delivery"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/the-glass-is-half-empty"
+
+  strings:
+    // Platform detection
+    $platform1 = "os.platform()" ascii
+    $platform2 = "process.platform" ascii
+
+    // Platform value used in comparisons
+    // (must be full quoted strings to avoid short-atom issues)
+    $win = "'win32'" ascii
+    $mac = "'darwin'" ascii
+
+    // Native addon loading with relative path
+    $node_load1 = /require\s*\(\s*['"][^'"]*\.node['"]\s*\)/ ascii
+    $node_load2 = "darwin.node" ascii
+    $node_load3 = "os.node" ascii
+    $node_load4 = "win.node" ascii
+    $node_load5 = "linux.node" ascii
+
+    // The loaded addon is called with .run()
+    $run_call = ".run(" ascii
+
+  condition:
+    any of ($platform*) and
+    ($win or $mac) and
+    any of ($node_load*) and
+    $run_call
+}
+
+rule SUSP_NativeAddon_Bundled_Binary_Feb26 {
+  meta:
+    description = "Detects custom-named .node file loading outside of node_modules, suggesting a bundled native binary"
+    severity    = "medium"
+    score       = 70
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/the-glass-is-half-empty"
+
+  strings:
+    // Require of .node files with relative paths (not from node_modules)
+    $rel_node1 = /require\s*\(\s*['"]\.\/[^'"]+\.node['"]\s*\)/ ascii
+    $rel_node2 = /require\s*\(\s*['"]\.\.\/[^'"]+\.node['"]\s*\)/ ascii
+
+    // VS Code extension activation context
+    $activate = "activate" ascii
+    $vscode   = "vscode" ascii
+
+  condition:
+    any of ($rel_node*) and
+    ($activate and $vscode)
+}

package/zoo/signatures/yara/persistence_macos.yar

@@ -0,0 +1,118 @@
+/*
+    macOS Persistence Detection
+    Detects LaunchAgent/LaunchDaemon persistence mechanisms
+    used by malware to survive reboots on macOS.
+
+    GlassWorm Wave 3 Rust implants write LaunchAgent plists
+    to ~/Library/LaunchAgents/ with com.apple.* naming to
+    blend in with legitimate Apple services.
+
+    Target: JavaScript files (no `wide` needed)
+*/
+
+rule SUSP_Mac_LaunchAgent_Feb26 {
+  meta:
+    description = "Detects LaunchAgent plist creation for macOS persistence, used by GlassWorm Rust implants"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/the-glass-is-half-empty"
+
+  strings:
+    // LaunchAgent/LaunchDaemon paths
+    $la_path1 = "LaunchAgents" ascii
+    $la_path2 = "LaunchDaemons" ascii
+    $la_path3 = "Library/LaunchAgents" ascii
+    $la_path4 = "Library/LaunchDaemons" ascii
+
+    // Plist content patterns
+    $plist1 = "ProgramArguments" ascii
+    $plist2 = "RunAtLoad" ascii
+    $plist3 = "KeepAlive" ascii
+    $plist4 = "StartInterval" ascii
+
+    // File write operations
+    $write1 = "writeFile" ascii
+    $write2 = "writeFileSync" ascii
+    $write3 = "createWriteStream" ascii
+
+    // Or plist XML format
+    $xml1 = "<!DOCTYPE plist" ascii
+    $xml2 = "<plist version" ascii
+
+  condition:
+    any of ($la_path*) and
+    (2 of ($plist*) or any of ($xml*)) and
+    any of ($write*)
+}
+
+rule SUSP_Mac_AppleDisguise_Feb26 {
+  meta:
+    description = "Detects use of com.apple.* naming for non-Apple LaunchAgent persistence (masquerading)"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/the-glass-is-half-empty"
+
+  strings:
+    // Apple-disguised plist labels
+    $apple_label = /com\.apple\.[a-zA-Z0-9._-]+\.plist/ ascii
+
+    // LaunchAgent context
+    $la1 = "LaunchAgents" ascii
+    $la2 = "LaunchDaemons" ascii
+
+    // Non-Apple origin evidence (JS/Node context)
+    $js1 = "require(" ascii
+    $js2 = "child_process" ascii
+    $js3 = "execSync(" ascii
+    $js4 = "writeFile" ascii
+
+  condition:
+    $apple_label and
+    any of ($la*) and
+    any of ($js*)
+}
+
+rule SUSP_Mac_LoginItem_Feb26 {
+  meta:
+    description = "Detects programmatic addition of macOS Login Items for persistence"
+    severity    = "medium"
+    score       = 75
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/the-glass-is-half-empty"
+
+  strings:
+    // Login Items manipulation via osascript
+    $login1 = "login item" ascii nocase
+    $login2 = "LoginItems" ascii
+    $login3 = "LSSharedFileList" ascii
+
+    // osascript for AppleScript execution
+    $osa1 = "osascript" ascii
+    $osa2 = "tell application" ascii
+
+    // Open at Login
+    $open1 = "LSRegisterURL" ascii
+    $open2 = "open at login" ascii nocase
+
+    // Code execution context
+    $exec1 = "exec(" ascii
+    $exec2 = "execSync(" ascii
+    $exec3 = "child_process" ascii
+    $exec4 = "spawn(" ascii
+
+    // Exclude TextMate grammar/syntax files
+    // (contain AppleScript keywords as language tokens)
+    $fp_grammar1 = "tmLanguage" ascii
+    $fp_grammar2 = "scopeName" ascii
+    $fp_grammar3 = "repository" ascii
+
+  condition:
+    any of ($login*, $open*) and
+    (any of ($osa*) or any of ($exec*)) and
+    not 2 of ($fp_grammar*)
+}

package/zoo/signatures/yara/rmm_tool_delivery.yar

@@ -0,0 +1,106 @@
+/*
+    RMM/RAT Tool Delivery Detection
+    Detects delivery of Remote Monitoring & Management tools
+    (ScreenConnect, AnyDesk, TeamViewer) via scripted installers.
+
+    Covers the "These Vibes Are Off" campaign pattern where
+    extensions use PowerShell IEX cradles to silently install
+    ScreenConnect for persistent remote access.
+
+    Target: JavaScript files in VS Code extensions (no `wide` needed)
+*/
+
+rule LOADER_RMM_ScreenConnect_Delivery_Feb26 {
+  meta:
+    description = "Detects ScreenConnect (ConnectWise Control) delivery or silent installation patterns in extension code"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/these-vibes-are-off"
+
+  strings:
+    // ScreenConnect / ConnectWise Control identifiers
+    $sc1 = "screenconnect" ascii nocase
+    $sc2 = "ScreenConnect.Client" ascii
+    $sc3 = "ScreenConnect.WindowsClient" ascii
+    $sc4 = "connectwise" ascii nocase
+
+    // ScreenConnect relay/session URLs
+    $relay1 = /instance-[a-z0-9]+-relay\.screenconnect\.com/ ascii
+    $relay2 = /[a-z0-9]{4,30}\.screenconnect\.com/ ascii
+
+    // Script-based delivery context
+    $deliver1 = "child_process" ascii
+    $deliver2 = "exec(" ascii
+    $deliver3 = "execSync(" ascii
+    $deliver4 = "spawn(" ascii
+    $deliver5 = "powershell" ascii nocase
+
+  condition:
+    (any of ($sc*) or any of ($relay*)) and
+    any of ($deliver*)
+}
+
+rule LOADER_RMM_AnyDesk_Delivery_Feb26 {
+  meta:
+    description = "Detects AnyDesk silent installation or deployment patterns in extension code"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/these-vibes-are-off"
+
+  strings:
+    $ad1 = "anydesk" ascii nocase
+    $ad2 = "AnyDesk.exe" ascii
+
+    // AnyDesk silent install flags
+    $install1 = "--install" ascii
+    $install2 = "--silent" ascii
+    $install3 = "--start-with-win" ascii
+
+    // AnyDesk password setting (unattended access)
+    $pwd1 = "--set-password" ascii
+    $pwd2 = "ad.anynet.pwd" ascii
+
+    // Delivery context
+    $deliver1 = "child_process" ascii
+    $deliver2 = "exec(" ascii
+    $deliver3 = "powershell" ascii nocase
+    $deliver4 = "spawn(" ascii
+
+  condition:
+    any of ($ad*) and
+    (any of ($install*) or any of ($pwd*)) and
+    any of ($deliver*)
+}
+
+rule LOADER_RMM_TeamViewer_Delivery_Feb26 {
+  meta:
+    description = "Detects TeamViewer silent installation or deployment patterns in extension code"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2026-02-06"
+    reference   = "https://www.secureannex.com/blog/these-vibes-are-off"
+
+  strings:
+    $tv1 = "teamviewer" ascii nocase
+    $tv2 = "TeamViewer.exe" ascii
+    $tv3 = "TeamViewer_Setup" ascii
+
+    // Silent/unattended install
+    $install1 = "CUSTOMCONFIGID" ascii nocase
+    $install2 = "APITOKEN" ascii nocase
+
+    // Delivery context
+    $deliver1 = "child_process" ascii
+    $deliver2 = "exec(" ascii
+    $deliver3 = "powershell" ascii nocase
+    $deliver4 = "spawn(" ascii
+
+  condition:
+    any of ($tv*) and any of ($install*) and
+    any of ($deliver*)
+}