Chinese hackers have been observed leveraging Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems, according to a joint report by SentinelLabs and Tinexta Cyber. The campaign, dubbed 'Operation Digital Eye', targeted large IT service providers in Southern Europe between June and July 2024.
VSCode tunnels, part of Microsoft’s Remote Development feature, are designed to provide developers with secure remote access to systems, enabling tasks such as file system management and command execution. However, this functionality was weaponized by attackers to create persistent backdoors into targeted environments.
The tactic allowed hackers to disguise their malicious activity as legitimate Microsoft services. In the observed attack, the intruders gained initial access through a widespread vulnerability exploitation campaign. They employed 'sqlmap', an automated SQL injection tool, to breach internet-facing web and database servers. After infiltrating the systems, they deployed the PHP-based web shell called PHPsert to execute remote commands and drop additional payloads.
To maintain persistence, the hackers installed a version of VSCode on the compromised systems and used 'winsw', a tool that sets executables as Windows services. Then they configured VSCode with tunnel parameters, which allowed them to create a remote-access tunnel routed through Microsoft Azure infrastructure.
For lateral movement, the attackers relied on Remote Desktop Protocol (RDP) and a custom version of the credential-stealing tool Mimikatz, named 'bK2o.exe', to perform pass-the-hash attacks. The VSCode tunnels were then used to connect to the breached systems remotely via a browser interface, authenticated with GitHub or Microsoft credentials.
The use of Microsoft-signed executables and Azure infrastructure allowed the hackers to operate without triggering security alerts.
While weak evidence points to Chinese APT groups like STORM-0866 or Sandman APT, the exact actor behind Operation Digital Eye remains unclear due to the extensive sharing of malware, operational playbooks, and infrastructure management processes within the Chinese threat landscape, SentinelLabs noted.