Researchers at Cyble Research and Intelligence Lab (CRIL) recently uncovered a sophisticated cyber attack campaign that utilizes a suspicious .LNK file and leverages Visual Studio Code (VSCode) to establish persistence and remote access. This campaign also includes the installation of the VSCode command line interface (CLI) in cases where VSCode is not already present on the victim’s machine.
According to the findings of the researchers, this attack campaign bears similarities to tactics previously associated with the Stately Taurus Chinese Advanced Persistent Threat (APT) group. Additionally, Chinese language elements were identified within the campaign, hinting at potential origins.
The initial attack vector in this campaign is a .LNK file, which is likely delivered through spam emails. This file triggers the download of a Python distribution package that executes an obfuscated Python script retrieved from a paste site. At the time of the research publication, this script had zero detections on VirusTotal, which poses a challenge for traditional security tools to detect.
The Python script ensures persistence by creating a scheduled task with system privileges and high priority. It then checks for the presence of VSCode on the victim’s machine and downloads the standalone VSCode CLI if it is not found. Subsequently, a remote tunnel is established using VSCode, enabling unauthorized remote access to the compromised system.
The .LNK file used in this attack disguises itself as an installer and displays a fake installation message in Chinese while silently downloading additional components, including a Python distribution package named ‘python-3.12.5-embed-amd64.zip’. The file creates a specific directory, extracts the contents of the zip archive, and downloads a malicious script from a paste.ee site, executing it in the background without displaying a console window.
If VSCode is not already installed on the system, the script downloads the VSCode CLI from a Microsoft source and ensures its execution for both non-admin and admin users, granting the attacker substantial control over the compromised system.
For persistence, a scheduled task named “MicrosoftHealthcareMonitorNode” is created to run the malicious script every four hours for non-admin users and at logon for admin users with elevated privileges. The script also ensures that a fresh remote tunnel can be established by checking for the running status of “code.exe”.
The researchers at Cyble emphasized the sophistication of this campaign and highlighted the need for advanced endpoint security solutions, regular review of scheduled tasks, limitations on user software installation permissions, and the deployment of advanced monitoring tools to detect unusual network activities and unauthorized access attempts.
In conclusion, the recent discovery of this cyber attack campaign underscores the evolving tactics of threat actors in utilizing legitimate tools for malicious purposes and serves as a reminder for organizations to stay vigilant and proactive in their cybersecurity measures.