Security Researcher @ Fortinet | Threat Intel | Malware Analysis | Offensive Security | Follow Me
Visual Studio Code is used as backdoor and for Command and Control(C2) communication. I always found the ways how attackers implement C2 communication fascinating. And this is a good example. Apparently you can use Visual Studio Code Remote Tunneling, a VS Code extension, to access your dev environment remotely through a browser. You will see your VS Code, that you tunnel, in the browser but everything is done and executed on the target machine. In this case the attacker run code.exe with the 'tunnel' parameter. Since the whole infrastructure is legit and executables are signed by MS this is a pretty good Living-off-the-Land technique. So let your developer friends know if they use VS Code. If you want to hunt for this, you can look for code.exe with the 'tunnel' parameter. The whole write-up is in the comments. #vscode #c2 #threatintel #infosec #backdoor
Security Researcher @ Fortinet | Threat Intel | Malware Analysis | Offensive Security | Follow Me
2dhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/