Dark Side of VSCode

~ How Attacker Abuse VSCode as RAT ~

Hayate Hazuru, Shuhei Sasada

ITOCHU Cyber & Intelligence

1
 01 Introduction
02 What is VSCode
03 What is Remote Development
Agenda
04 Artifacts Projection Only / TLP:RED

05 Detection and Protection

06 Conclusion

2
ITOCHU Cyber & Intelligence Inc.
01 Introduction

3
ITOCHU Cyber & Intelligence Inc.
Attacks overview and talk focus
focus

Operation

<fake gift information> Communication Tropic Trooper

Spear-Phishing Email C2 Server
Operation
Sign in BLOB

Download Side-Load
Phishing Downloader <in memory> Microsoft Server
site RAT

Install
Legitimate
Open decoy

Tunnel
VSCode CLI
PDF
VSCode Server
4
ITOCHU Cyber & Intelligence Inc.
Attacks overview and talk focus
• The targeted attack was observed in late September 2023. focus

• VSCode abuse has been a long-standing concern, but this is the first confirmed
Operation
case of APT abuse.
<fake gift information> Communication Tropic Trooper
• Attackers
Spear-Phishing used a combination
Email of RAT
C2 Server and VSCode tunnels to compromise PCs
through
Sign in
two routes. Operation
BLOB
• For complete details on Tropic Trooper(alias:Pirate
Panda, KeyBoy) attack campaigns, please refer to
the Download
VB2023 London lecture material. (Unveiling
Side-Load
Activities of Tropic Trooper
Phishing 2023: Deep Analysis <in memory>
Downloader
Microsoft Server
for Xiangoop Loader and EntryShell payload)
site RAT

Install
Legitimate
Open decoy

Tunnel
VSCode CLI
PDF
VSCode Server
5
ITOCHU Cyber & Intelligence Inc.
02 What is VSCode

6
ITOCHU Cyber & Intelligence Inc.
What is the Visual Studio Code (VSCode)
• VSCode is a code editor released by Microsoft in April 2015 (and
OSS).
• It is extremely multifunctional and offers useful extensions
provided by official, third-party vendors, and communities.
• Today, VSCode has become a standard in modern development,
marking an end to the "editor wars".

7
ITOCHU Cyber & Intelligence Inc.
03 What is Remote Development

8
ITOCHU Cyber & Intelligence Inc.
VS Code Remote Development
● Why we use remote development feature
○ Development on an operating system different from the host.
○ Utilization of standardized or pre-built development environments.
○ Isolation of the development environment from the host (also as protection against
malicious packages/extensions).
○ Development on a more powerful host.
● How Remote Development works
1. Connect to a remote host using methods such as SSH or tunneling.
2. The "VS Code Server" is deployed on the remote host.
3. By connecting from the developer's VSCode (Web/Standalone) on their device,
they can edit source code on the remote host and execute commands.

VS Code Remote Development - Mirosoft

9
ITOCHU Cyber & Intelligence Inc.
How dev tunnels work
1. Authentication using either a Github, Microsoft ID, or Entra ID
establishes a connection with Microsoft's tunnel server (dev
tunnels).
2. An endpoint corresponding to the Phase 1 connection is created.
3. Connect to the created endpoint using VSCode.

dev tunnels
(hosted by microsoft)

Developer
Remote Host
Device

10
ITOCHU Cyber & Intelligence Inc.
demo

11
ITOCHU Cyber & Intelligence Inc.
 Projection Only / TLP:RED

04 Artifacts

12
ITOCHU Cyber & Intelligence Inc.
05 Detection and Protection

13
ITOCHU Cyber & Intelligence Inc.
How to hunt vscode execution by network activity.
● Dev Tunnels use below hosts
○ Authentication
■ github.com
■ login.microsoftonline.com
○ Dev Tunnels
■ global.rel.tunnels.api.visualstudio.com
■ [clusterId].rel.tunnels.api.visualstudio.com
■ [clusterId]-data.rel.tunnels.api.visualstudio.com
■ *.[clusterId].devtunnels.ms
■ *.devtunnels.ms
■ [clusterId] list is available at
https://global.rel.tunnels.api.visualstudio.com/api/v1/clusters
● Detect with Context
○ It would be better to detect the aforementioned communications in
networks, such as business departments or production segments, where
VSCode is not used.

14
ITOCHU Cyber & Intelligence Inc.
How to hunt vscode executing by process behavior
● “node.exe” execute under vscode and Image Path is
“%USERPROFILE%¥.vscode¥cli¥servers¥Stable-
[ID]¥server¥node.exe“
● PowerShell (pwsh.exe) is run under node.exe if actor create new
terminal
● It’s anomaly and you can detect VSCode tunnel by that path and
process name.

15
ITOCHU Cyber & Intelligence Inc.
Safe Use of VSCode Remote Development

• VSCode is essential for modern development, and the VS Code Remote

Development feature itself is very useful.
• I recommend to use Dev Containers and Visual Studio Code Remote - SSH
• Dev Containers: Connect to local containers
• SSH: Establish SSH connections with remote hosts. Therefore, it can be
controlled by firewall.

VS Code Remote Development - SSH Dev Containers

16
ITOCHU Cyber & Intelligence Inc.
06 Conclusion

17
ITOCHU Cyber & Intelligence Inc.
Conclusion
• VSCode was actually used as a RAT by APT.
• By using dev tunnels, attackers can remotely control through
proxies owned by Microsoft.
• In modern development, VSCode and Remote Tunnel are very
useful, but for safe use, it is recommended to use SSH or Dev
Containers.
• Hunt for communications to dev tunnels and processes of the
VSCode Server.
• Alternatively, deny communication to dev tunnels in segments
where development communication does not occur, such as in the
sales department or production network.

18
ITOCHU Cyber & Intelligence Inc.
Any Questions?
Appendix

20
ITOCHU Cyber & Intelligence Inc.
Appendix
● Attackers can persist tunnel process by “code tunnel service
install”
● The command make auto run registory
○ HKCU¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥Run
■ Name: Visual Studio Code Tunnel
■ Data:
● [Path to binary]¥code.exe
--verbose
--cli-data-dir %USERPROFILE%¥.vscode¥cli
tunnel service internal-run
--log-to-file %USERPROFILE%¥.vscode¥cli¥tunnel-service.log

21
ITOCHU Cyber & Intelligence Inc.