Sophisticated VSCode Campaign Uncovered by Cyble Researchers

Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated cyberattack campaign that utilizes a suspicious .LNK file and Visual Studio Code (VSCode) to establish remote access and persistence on victim machines. The attack method bears similarities to tactics previously used by the Stately Taurus Chinese APT group, with Chinese language elements also present in the campaign.

The initial attack vector is a potentially spam-delivered .LNK file that downloads a Python distribution package to execute an obfuscated Python script from a paste site. The script establishes persistence by creating a scheduled task with system privileges, checks for VSCode installation, and downloads the VSCode CLI if necessary. It then creates a remote tunnel using VSCode, enabling unauthorized remote access to the victim’s machine.

The .LNK file masquerades as an installer, displaying a fake installation message in Chinese while silently downloading additional components, including a Python distribution package. The script checks for VSCode installation and downloads the VSCode CLI if needed, ensuring persistence through a scheduled task that runs every four hours for non-admin users and at logon for admin users.

Cyble researchers emphasize the sophistication of threat actors in leveraging legitimate tools like VSCode to bypass detection measures and establish unauthorized access. They recommend advanced endpoint security solutions, regular review of scheduled tasks, limiting user software installation permissions, and deploying monitoring tools to detect unusual network traffic and unauthorized access attempts.

This campaign highlights the importance of staying vigilant against evolving cyber threats and implementing robust security measures to protect against sophisticated attacks.