Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
Oct. 1, 2024, 8:22 p.m.
Description
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence through a scheduled task and leverages VSCode to create a remote tunnel, allowing the attacker unauthorized access to the victim's machine. The attacker can then interact with the system, access files, and perform additional malicious activities. This method mirrors tactics used by the Chinese APT group Stately Taurus in cyber espionage campaigns. The attack demonstrates the growing sophistication of threat actors in using legitimate tools to bypass detection measures.
Date
| Published | Created | Modified |
|---|---|---|
| Oct. 1, 2024, 7:30 p.m. | Oct. 1, 2024, 7:30 p.m. | Oct. 1, 2024, 8:22 p.m. |
Indicators
c7f07bdfb91653f53782885a3685436e2e965e1c5f4863c03f5a9825c0364489
281766109f2375a01bad80478fd18841eccaefc1ee9277179cc7ff075d1beae2
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
http://requestrepo.com/r/2yxp98b3
Attack Patterns
Stately Taurus
T1059.006
T1053.005
T1071.001
T1036.005
T1082
T1057
CVE-2017-11882
CVE-2024-21893
CVE-2024-21887
CVE-2023-46805
CVE-2021-44228
Additional Informations
China