After successfully intercepting the exfiltrated data the threat actors exploit unauthorized access through GitHub’s authentication system by navigating to “hxxps://github[.]com/login/device” and utilizing stolen alphanumeric activation codes. Through this compromised VSCode tunnel connection, attackers can execute powerful hacking tools, including Mimikatz (for credential harvesting), LaZagne (for password recovery), In-Swor (for system reconnaissance), and Tscan (for network scanning). Researchers recently uncovered a sophisticated cyber attack campaign that begins with a malicious “.LNK” file. This collected data is “Base64” encoded and exfiltrated to a “C&C server” at “requestrepo[.]com/r/2yxp98b3,” by employing tactics similar to those used by the “Stately Taurus” Chinese APT group. The attack chain begins with a malicious .LNK file (Windows shortcut) containing an obfuscated Python script, bypassing traditional security measures. This sophisticated attack methodology demonstrates how legitimate development tools like VSCode can be weaponized through social engineering and technical exploitation. Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Cyber Security News Is a Dedicated News Channel For Hackers And Security Professionals. The Cyble Research and Intelligence Labs recently identified that hackers have turned the Visual Studio code into a remote access tool. Get Latest Hacker News & Cyber Security Newsletters update Daily.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Oct 2024 09:55:20 +0000