Attack Chain

1. A user installs a malicious VS Code extension.
2. The extension is configured with activationEvents: ["onStartupFinished"] to run automatically when VS Code starts.
3. The VS Code extension host (Code.exe or node.exe) spawns a script interpreter (e.g., powershell.exe, cmd.exe) from within the .vscode/extensions/ directory.
4. The script interpreter executes a command to download a malicious payload from a remote server using tools like curl.exe, bitsadmin.exe, or mshta.exe.
5. The downloaded payload is saved to disk, often in a temporary directory outside of Program Files.
6. The script interpreter executes the downloaded payload, leading to further malicious activity. For example, ScreenConnect might be installed.
7. Persistence mechanisms are established (e.g., via registry keys or scheduled tasks).
8. The attacker gains remote access to the compromised system.

Impact

A successful attack can lead to the complete compromise of a developer’s workstation, potentially affecting intellectual property and sensitive data. The installation of RATs like ScreenConnect can enable persistent remote access, allowing attackers to perform data exfiltration, lateral movement, and further malicious activities. The compromised machine can then be used as a pivot point to attack other systems within the organization.

Recommendation

• Deploy the “Suspicious Execution from VS Code Extension” Sigma rule to your SIEM to detect malicious process execution from VS Code extensions.
• Monitor process creation events for script interpreters and LOLBins spawned from the .vscode/extensions/ directory.
• Implement application control policies to restrict the execution of unsigned or untrusted executables.
• Regularly review and audit installed VS Code extensions for suspicious activity or unnecessary permissions.
• Educate developers about the risks of installing extensions from untrusted sources.
• Block the C2 domains associated with ScreenConnect and other RATs at the firewall/DNS resolver.