Visual Studio, a robust integrated development environment (IDE) developed by Microsoft, is widely used for building applications on the .NET framework. It supports multiple programming languages, including C#, VB.NET, and C++.
Recently, Cyble Research and Intelligence Labs discovered that hackers have repurposed Visual Studio code to create a remote access tool (RAT), turning this powerful development platform into a means of launching cyberattacks.
For an efficient way to rephrase articles, try https://hix.ai/paraphrasing-tool/article-rewriter.
Visual Studio Code as A Remote Access Tool
Researchers have uncovered a sophisticated cyberattack campaign that begins with a malicious “.LNK” file, likely distributed through spam emails. Upon execution, the file displays a fake “Installation Successful” message in Chinese while secretly downloading a Python package (*python-3.12.5-embed-amd64.zip*). This creates a directory at *%LOCALAPPDATA%\Microsoft\Python* and runs an obfuscated Python script (*update.py*) retrieved from *paste[.]ee*, which initially went undetected by VirusTotal.
To establish persistence, the malware creates a scheduled task named *MicrosoftHealthcareMonitorNode*, which runs every four hours or at system logon with SYSTEM privileges. If Visual Studio Code (VSCode) is not installed on the machine, the malware downloads the VSCode CLI from Microsoft’s servers (*az764295.vo.msecnd[.]net*) and uses it to create a remote tunnel, generating an 8-character alphanumeric activation code that facilitates unauthorized remote access.
The malware then gathers extensive system information from critical directories (such as *C:\Program Files, C:\Program Files (x86)*, *C:\ProgramData*, and *C:\Users*), running processes, system language settings, geographical location, computer and username, domain, and privilege levels. The collected data is encoded in Base64 and exfiltrated to a command-and-control (C&C) server at *requestrepo[.]com/r/2yxp98b3*, using techniques similar to those employed by the Chinese APT group “Stately Taurus.”
Once the data is intercepted, the attackers exploit GitHub’s authentication system by navigating to *hxxps://github[.]com/login/device* and using stolen activation codes to establish a VSCode tunnel connection. This connection gives the attackers full access to the victim’s files, directories, and command-line interface. Through this compromised tunnel, they can deploy powerful hacking tools like:
– **Mimikatz** for credential harvesting
– **LaZagne** for password recovery
– **In-Swor** for system reconnaissance
– **Tscan** for network scanning
This unauthorized access allows the attackers to manipulate system files, extract sensitive data, modify configurations, and deploy additional malware payloads. The attack highlights how legitimate development tools like VSCode can be weaponized through social engineering and technical exploitation.
Recommendations
Here are the key recommendations:
– Implement advanced endpoint protection.
– Regularly audit scheduled tasks.
– Train users to recognize suspicious files and links.
– Restrict software installation and use application whitelisting.
– Monitor for unusual activity and regularly review system logs.
