VS Code Extension Impersonating Zoom Targets Google Chrome Cookies

Jan. 22, 2025, 9:16 a.m.

Description

A malicious Visual Studio Code extension masquerading as a Zoom application was discovered, designed to access and steal Google Chrome cookies. The extension, uploaded to the VS Code Marketplace on November 30 and updated on December 8, impersonates the Zoom Workspace tool to gain users' trust. It contains code targeting Google Chrome cookies, introduced in version 0.2.2. The extension attempts to fetch data from a suspicious endpoint hosted in China and access Chrome's cookie storage and Windows registry data. This incident highlights the ongoing threat of malicious actors exploiting trusted infrastructure to distribute malware through seemingly legitimate channels, revealing vulnerabilities within the VS Code extension ecosystem.

External References

https://hunt.io/blog/malicious-vs-code-extension-impersonating-zoom-steals-chrome-cookies
https://otx.alienvault.com/pulse/67901cea31e37907d08934f8
Tags
vs code
zoom
2025-01-21
cookies

Date

  • Created: Jan. 21, 2025, 10:17 p.m.
  • Published: Jan. 21, 2025, 10:17 p.m.
  • Modified: Jan. 22, 2025, 9:16 a.m.

Indicators

  • 5c89ba9e1bbb7ef869e4553081a40cabbd91a70506d759fd4e97eefb0434c074
  • https://api.storagehb.cn/d?v=1.3'
  • api.storagehb.cn
Download all indicators here!

Attack Patterns

  • T1185
  • T1555
  • T1518
  • T1102
  • T1204
  • T1053
  • T1566
  • T1059

Additional Informations

  • China