A fake AI coding assistant was placed into a popular coding store and gave hackers remote access to Windows PCs without anyone knowing.
AI continues to be seen as the savior of human struggles with productivity, and it’s the recent surge in AI tools which fueled this latest hack. Recently, security systems identified a Visual Studio Code extension called Clawdbot Agent – AI Coding Assistant. To the average PC user, it behaved like a genuine tool to help with coding, even connecting with popular AI services. However, users were unaware of what this Clawdbot tool actually was: a trojan. In fact, this malicious tool wasn’t even made by the official Clawdbot team.
How Did This Malware Work?
Originally available in the Visual Studio Marketplace – a place for developers to download extensions and tools for coding in Visual Studio – the malicious extension was available for anyone to download. Once installed, this fake Clawdbot extension set itself to run automatically every time Visual Studio Code launched, removing the need for any further user input. This allowed the malware to stealthily connect with a remote server controlled by the attackers. With this connection in place, the malicious tool was able to download further files.
One of these files was ScreenConnect, a genuine piece of remote support software which IT teams use to help remote workers. This made it especially dangerous. As ScreenConnect is legitimate software, it failed to trigger warnings from antivirus tools. Consequently, it just gave the attackers free access in and out of the infected PC.
To ensure that the malware was successfully established, the hackers built in multiple backup methods. One of these involved an additional program disguised as a Zoom update hosted on a file-sharing website. If the main command server was unavailable for some reason, this backup location would kick in and install the same malicious software.
The extension itself was particularly clever as it actually offered AI features. Therefore, users were likely to assume that it was working as promised and nothing malicious was unfolding. However, beneath the surface, the hackers had the potential to record keystrokes, steal files and take complete control of the PC.
Staying Safe from Similar Threats
You may not be a developer who uses Visual Studio, but it’s likely that you’ve dabbled in extensions before e.g. browser extensions to make life easier and quicker online. This means you could easily be at risk of falling victim to similar malware, so make sure you take these precautions online:
- Check the publisher: Always make sure you’re downloading an extension from a trusted and verified source. Ideally, they should have a proven record for designing extensions. A publisher with just one extension and few, if any reviews, is an immediate red flag.
- Review permissions carefully: If you install an extension and it immediately starts asking you to approve permissions to access your system or tinker with your startup process, this is another early warning sign. Always take a second to evaluate if any app or extension needs access.
- Always update: Malicious extensions can easily be used to exploit vulnerabilities present on your PC, so the surest way to minimize this threat is by keeping all your applications up to date with the latest patches and firmware.
For more ways to secure and optimize your business technology, contact your local IT professionals.
