In a new wave of cyberattacks, hackers are using Microsoft’s Visual Studio Code (VSCode) as a remote access tool to gain unauthorized entry into computers, according to Cyble Research and Intelligence Labs. Visual Studio, a popular integrated development environment (IDE) for app development on the .NET framework, supports languages like C#, VB.NET, and C++.
While the tool is widely used for legitimate purposes, cybercriminals have now found a way to exploit it for malicious activities.
The attack begins with a seemingly harmless file, a malicious “.LNK” shortcut, which is likely spread through spam emails. Once opened, the file displays a fake “Installation Successful” message in Chinese.
In the background, however, it secretly downloads a Python package named “python-3.12.5-embed-amd64.zip” and creates a directory on the target system.
This malicious file then executes an obfuscated Python script (update.py) from the online source paste[.]ee, which was not detected by the VirusTotal scanning service.
To maintain access, the malware sets up a scheduled task, “MicrosoftHealthcareMonitorNode,” which runs every four hours or when the computer starts, using SYSTEM-level privileges.
If the system does not have VSCode already installed, the malware fetches the Visual Studio Code Command Line Interface (CLI) from Microsoft’s servers.
This tool is then used to open a remote tunnel that enables the attackers to generate an 8-character activation code, giving them unauthorized remote access to the victim’s computer.
Once access is established, the malware gathers sensitive system information, such as data from critical directories, running processes, user details, and even geographical locations.
With this, hackers can fully control the victim’s machine, accessing files, directories, and the terminal.
This discovery highlights the growing sophistication of cyberattacks and emphasizes the need for vigilance, especially with common developer tools like VSCode. Users are advised to be cautious of unexpected email attachments and ensure their systems are protected against such threats.
