Hackers weaponizing VSCode for remote access


Attackers are tricking developers into launching malicious LNK files, which turn Visual Studio Code, a popular code editor, into a remote access tool.

Researchers at Cyble Research and Intelligence Labs have uncovered a sophisticated exploitation of legitimate software development tools such as Visual Studio Code (VSCode) and GitHub.

The campaign relies on social engineering, luring victims to execute an LNK (Windows shortcut) file delivered through spam or phishing emails. The file resembles an MSI installer icon and tries to deceive users into executing it.

ADVERTISEMENT

Then, it downloads and executes an obfuscated Python script, establishing persistence by creating a scheduled task with system privileges and high priority. It checks if (VSCode) is installed on the victim’s machine.

Even if the application is not present, the malicious script downloads its command-line interface (VSCode CLI) from a legitimate source and creates a remote tunnel, which the threat actor can use for remote access to the victim’s machine.

“This enables the threat actor to interact with the system, access files, and perform additional malicious activities,” Cyble researchers warn in a report.

Researchers observed attackers gathering the victim’s system running processes and other information by collecting the names of folders from several directories, including “Program Files,” “ProgramData,” and “Users.”

Attackers can also obtain sensitive data, including location, computer name, username, user domain, system language settings, and details about user privileges.

attack-chain-vscode

Next, they move to a GitHub account, where they can enter an exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine. This allows them to view and manipulate files.

“This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal. With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data,” the report reads.

ADVERTISEMENT

By utilizing seemingly harmless LNK files and obfuscated Python scripts, that have no detections on VirusTotal, attackers can bypass security measures.

“This campaign demonstrates the growing sophistication of threat actors in leveraging legitimate tools like VSCode to establish unauthorized access to victim systems.”

Therefore Cyble recommends using advanced endpoint protection solutions that include behavioral analysis and machine learning capabilities.

“Review scheduled tasks on all systems regularly to identify unauthorized or unusual entries. This can help detect persistence mechanisms established by threat actors,” the researchers advise.

Other recommendations include educating users about the risks associated with LNK and other suspicious files, limiting their permissions to install software, deploying advanced monitoring tools.