John Hammond, a respected name in cybersecurity, covered this topic in a YouTube video, offering a live demo and breaking down the implications. Below is a comprehensive analysis of the technique, the threats it poses, and how defenders can mitigate them.
Executive Summary
In this video, John Hammond explores a recent Unit 42 report about a Chinese APT group exploiting Visual Studio Code’s “Remote Tunnel” feature to infiltrate government networks in Asia. The attackers used code tunnel, a legitimate command built into VS Code, to create a secure connection back to their own system—all using Microsoft’s own signed infrastructure and domains.
Key Insights:
-
No Malware, Just Microsoft: The attack involves no traditional malware, instead abusing VS Code’s signed binary (
code.exe) and tunneling functionality. -
Persistent Remote Access: With just a GitHub or Microsoft Entra ID login, the attackers establish full control over the target—browsing files, executing commands, and setting up command-and-control (C2) operations.
-
Live Demo: Hammond’s demo showcases how easy it is to exploit this: upload the binary, run
code tunnel, authenticate via GitHub, and gain full access via a browser-based VS Code instance. -
Detection & Defense:
-
Monitor suspicious command-line activity involving
code.exeand thetunnelsubcommand. -
Watch for tunnel-related artifacts like
tunnel.jsonfiles or unexpected process trees spawning PowerShell orcmd.exe. -
Block relevant domains such as
tunnels.api.visualstudio.comanddevtunnels.ms. -
Use AppLocker or Windows Defender Application Control (WDAC) for additional endpoint protection.
-
-
Red Team Adoption: Tools like Cobalt Strike are beginning to integrate this method into their playbooks, using Microsoft infrastructure to bypass network defenses.
Behind the Technique: What Makes It Dangerous?
The threat actors exploited a relatively new capability in VS Code—Remote Tunnels, which allow developers to connect to their development environments from anywhere. The twist? This tunnel can be launched with zero malware, zero privilege escalation, and zero alarms.
Once an attacker has initial code execution (via phishing, RCE, etc.), they simply:
-
Upload
code.exe(VS Code’s portable binary). -
Run the command
code tunnel. -
Authenticate via GitHub or Microsoft Entra ID.
-
Access the full system via VS Code’s browser interface.
The entire setup uses Microsoft-signed code and official Microsoft domains, making detection incredibly challenging in traditional EDR setups.
What Defenders Can Do
While the attack leverages trusted tools, defenders aren’t helpless. Here’s how to stay ahead:
1. Network Monitoring
Block or closely monitor connections to:
-
tunnels.api.visualstudio.com -
devtunnels.ms
Even adding these to your /etc/hosts file to redirect locally can be a lightweight defense.
2. Process Tree Analysis
Investigate cases where:
-
code.exespawns terminals (cmd.exe, PowerShell) -
Unexpected file changes in sensitive directories
3. File Artifacts
Look for:
-
tunnel.jsonfiles in user directories -
Logs like
server.txtorpid.txtlinked to VS Code tunneling
4. Application Control
Use AppLocker, WDAC, or similar solutions to restrict where and how binaries like code.exe can run.
Final Thoughts
This technique demonstrates a dangerous evolution in attacker tradecraft. The line between “legitimate tool” and “malicious vector” continues to blur, and defenders must treat every signed binary with scrutiny—especially those capable of network tunneling and remote execution.
As Hammond puts it, "It’s a remote access Trojan—just with a friendly face."
By John Hammond (Security Researcher, Educator & YouTube Creator)
Original Link to the Blog: Click Here
Comments