macOS Developers in the Crosshairs: GlassWorm’s Wave 4 Exploits VS Code to Trojanize Hardware Wallets

The resilient “GlassWorm” threat actor, known for embedding malicious code into Visual Studio Code extensions, has returned with a sophisticated fourth wave of attacks. A new report from KOI Security reveals that the group has abandoned their Windows-focused tactics for a targeted assault on macOS developers, deploying encrypted payloads designed to compromise not just software wallets, but trusted hardware devices like Ledger and Trezor.

This latest campaign, which has already racked up 50,000 downloads, marks a dangerous escalation in the group’s capabilities and adaptability.

GlassWorm’s shift in strategy is stark. “Every previous GlassWorm wave targeted Windows exclusively. Wave 4 targets macOS exclusively,” the report states.

“Developers use Macs. Especially in crypto, web3, and startup environments – exactly the victims GlassWorm wants to compromise”.

The new payload is purpose-built for Apple’s ecosystem, utilizing AppleScript for stealth execution and LaunchAgents for persistence, rather than the Windows Registry keys used in previous campaigns.

To bypass security scanners, the attackers have innovated their delivery mechanism. Instead of the invisible Unicode characters or Rust binaries seen in waves 1-3, Wave 4 uses AES-256-CBC encrypted payloads embedded directly into compiled JavaScript.

Crucially, the malware includes a time-delay fuse. “The sandbox sees a clean extension. It gets approved. And 15 minutes after a developer installs it, the real payload drops”.

This 15-minute delay (900,000 milliseconds) ensures that automated analysis environments, which typically time out after 5 minutes, never see the malicious activity occur.

Perhaps the most alarming development is the introduction of code specifically designed to replace legitimate hardware wallet software with trojanized versions.

“Previous GlassWorm waves stole credentials and installed backdoors. Wave 4 does all that plus it attempts to replace your hardware wallet applications with trojanized versions”.

The malware checks for installed applications like Ledger Live and Trezor Suite. If found, it “downloads a trojanized replacement, removes the legitimate app, and installs the malicious version in its place”. While the Command and Control (C2) servers for this specific payload were returning empty files at the time of analysis, the capability is fully built and “just waiting for payloads to be uploaded”.

The report underscores the group’s ability to learn and adapt. “This is an active, adaptive threat actor who reads security research and evolves their tooling in response,” KOI Security warns.

The infrastructure links the campaign definitively to previous attacks. “When we traced the infrastructure, a familiar IP confirmed our suspicion: 45.32.151.157, the same C2 server from GlassWorm’s third wave”.

Users of VS Code extensions, particularly those on macOS, are urged to audit their installed extensions and remain vigilant against this evolving threat.

Related Posts:

• GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
• GlassWorm Worm Resurfaces: Invisible Unicode Malware Re-Infects VS Code Extensions, Spreads to GitHub
• Hackers hijack bitcoin wallet TREZOR to a phishing website
• Intel SGX Security Compromised: Root Provisioning Key Extracted