Summary:
A sophisticated cyberattack targeting organizations worldwide has been uncovered by Cyble Research and Intelligence Labs (CRIL). The threat actor (TA) employed a multi-stage attack, utilizing legitimate tools such as Visual Studio Code (VS Code) and GitHub to gain unauthorized remote access to victims' machines. The attack chain’s initial access is achieved through a malicious .LNK file, disguised as a legitimate setup file, which is potentially delivered to victims through spam or phishing emails. Upon execution, the .LNK file silently downloads a Python distribution package and executes a malicious Python script.

The TA leverages VSCode Remote to initiate a remote tunnel, enabling them to retrieve an activation code and gain unauthorized access to the victim's machine. This access allows the TA to interact with the system, access files, and perform additional malicious activities, including data exfiltration and further malware delivery. RequestRepo[.]com is primarily a tool for analyzing incoming HTTP and DNS requests. However, the adversary exploits it for exfiltration to capture stolen data transmitted from victim machines. To maintain persistence, the TA creates a scheduled task designed to automatically trigger the execution of the malicious Python script with elevated privileges and high priority. This attack mirrors tactics previously observed in a Stately Taurus (Mustang Panda) Chinese APT campaign targeting Europe and Asia.

Security Officer Comments:
The attack described in the report demonstrates the increasing sophistication of threat actors in leveraging legitimate tools for unauthenticated remote code execution. The use of VS Code, a widely used development tool, as a roundabout means to establish remote access is a concerning trend. Although the TTPs in this campaign mirrored the previously documented actions of Mustang Panda, CRIL was unable to confidently attribute this attack to the Chinese APT group. The adversary can establish persistence via a scheduled task on both admin-user and nonprivileged accounts, although having administrative privileges decreases the likelihood of being interrupted. Organizations maintain a proactive security posture, focusing on vigilance, enhancing existing security practices, and implementing new ones to defend against a constantly evolving threat spectrum. Additionally, organizations should prioritize the review of scheduled tasks and the enforcement of strict access controls to mitigate the risk of persistent threats. Developers who utilize VSCode should remain mindful of potential spearphishing attempts.

Suggested Corrections:
IOCs and MITRE ATT&CK TTPs are published here.

CRIL Recommendations:

• Utilize advanced endpoint protection solutions that include behavioral analysis and machine learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VSCode.
• Review scheduled tasks on all systems regularly to identify unauthorized or unusual entries. This can help detect persistence mechanisms established by threat actors.
• Conduct training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .LNK files and unknown sources.
• Limit user permissions to install software, particularly for tools that can be exploited, like VSCode. Implement application whitelisting to control which applications can be installed and run on systems.
• Deploy advanced monitoring tools that can detect unusual network traffic, unauthorized access attempts, and abnormal behavior within the system. Regularly audit and review system and application logs to catch early signs of intrusion.

Link(s):
https://www.darkreading.com/endpoint-security/python-malware-slithers-legit-vs-code

https://cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/