VTA-004496 – Weaponizing Visual Studio Code for Remote Access in Sophisticated Cyber Attacks

Researchers have uncovered a clever cyber attack that starts with a malicious “.LNK” file sent through spam emails. This file downloads a hidden Python package and sets up a scheduled task with SYSTEM-level privileges.

If Visual Studio Code (VSCode) isn’t already installed, the malware grabs its CLI and creates a remote tunnel, giving attackers unauthorized access through an activation code. The malware gathers system data and sends it to a command-and-control server. Hackers then use GitHub’s authentication system to abuse the stolen codes, gaining full control over the victim’s machine.

This attack shows how legit tools like VSCode can be misused for harmful purposes.

Severity:
Medium

Attack Surface:
Endpoint OS

Tactics:
Collection, Command and Control, Execution, Initial Access, Persistence

References:
1. https://cybersecuritynews.com/hackers-visual-studio-code-remote-access/

SuperPRO’s Threat Countermeasures Procedures: 
1. Use comprehensive security software with real-time threat detection to block malicious files and scripts before they execute on the system.
2. Limit SYSTEM and admin-level access on endpoints. Ensure that tasks requiring elevated privileges are tightly controlled and monitored.
3. Conduct regular cybersecurity awareness training to help users identify suspicious emails, links, and attachments like malicious .LNK files.
4. Monitor and audit scheduled tasks on systems to detect unauthorized or unusual tasks that could be a sign of malware persistence.
5. Restrict the execution of unauthorized software, scripts, or development tools like VSCode unless explicitly approved for use within the organization

Contributed by: Haziq