Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access

Oct. 1, 2024, 8:22 p.m.

Description

A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence through a scheduled task and leverages VSCode to create a remote tunnel, allowing the attacker unauthorized access to the victim's machine. The attacker can then interact with the system, access files, and perform additional malicious activities. This method mirrors tactics used by the Chinese APT group Stately Taurus in cyber espionage campaigns. The attack demonstrates the growing sophistication of threat actors in using legitimate tools to bypass detection measures.

External References

https://cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/
https://otx.alienvault.com/pulse/66fc4dc786e2c423e5ff8e70
Tags
apt
python
cyber espionage
lnk file
github
2024-10-01
remote tunnel
unauthorized access
vs code
scheduled task

Date

  • Created: Oct. 1, 2024, 7:30 p.m.
  • Published: Oct. 1, 2024, 7:30 p.m.
  • Modified: Oct. 1, 2024, 8:22 p.m.

Indicators

  • c7f07bdfb91653f53782885a3685436e2e965e1c5f4863c03f5a9825c0364489
  • 281766109f2375a01bad80478fd18841eccaefc1ee9277179cc7ff075d1beae2
  • c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
  • a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
  • 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
  • http://requestrepo.com/r/2yxp98b3
  • requestrepo.com
Download all indicators here!

Attack Patterns

  • Stately Taurus
  • T1059.006
  • T1053.005
  • T1071.001
  • T1036.005
  • T1082
  • T1057
  • CVE-2017-11882
  • CVE-2024-21893
  • CVE-2024-21887
  • CVE-2023-46805
  • CVE-2021-44228

Additional Informations

  • China