Visual Studio Code is a popular open-source code editor[1<\/a>]. But it\u2019s much more than a simple editor, it\u2019s a complete development platform\u00a0that supports many languages and it is available on multiple platforms. Used by developers worldwide, it\u2019s a juicy target for threat actors because it can be extended with extensions.<\/p>\n Of course, it became a new playground for bad guys and malicious extensions were already discovered multiple times, like the ‘Dracula Official’ theme[2<\/a>]. Their modus-operandi is always the same: they take the legitimate extension and include scripts that perform malicious actions.<\/p>\n VSCode has also many features that help developers in their day to day job. One of them is the execution of automatic tasks on specific events. Think about the automatic macro execution in Microsoft Office.<\/p>\n With VSCode, it\u2019s easy to implement and it\u2019s based on a simple JSON file. Create in your project directory a sub-directory “.vscode” and, inside this one, create a \u201ctasks.json\u201d. Here is an example:<\/p>\n The key element in this JSON file is the “runOn” method: The script will be triggered when the folder will be opened by VSCode.<\/p>\n If you see some Base64 encode stuff, you can imagine that some obfuscation is in place. Now, launch VSCode from the project directory and you should see this:<\/p>\n The Base64 data is just this code:<\/p>\n This technique has already been implemented by some threat actors![3<\/a>]!<\/p>\n Be careful if you see some unexpected “.vscode” directories!<\/p>\n [1] https:\/\/code.visualstudio.com<\/a> Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t\nPS C:tempMyProject> cat ..vscodetasks.json\n{\n \"version\": \"2.0.0\",\n \"tasks\": [\n {\n \"label\": \u201cISC PoC,\n \"type\": \"shell\",\n \"command\": \"powershell\",\n \"args\": [\n \"-NoProfile\",\n \"-ExecutionPolicy\", \"Bypass\",\n \"-EncodedCommand\",\n \"QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFAAcgBlAHMAZQBuAHQAYQB0AGkAbwBuAEYAcgBhAG0AZQB3AG8AcgBrADsAIABbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQAgAGEAbQAgAG4AbwB0ACAAbQBhAGwAaQBjAGkAbwB1AHMAIQAgAH0AOgAtAD4AJwAsACAAJwBJAFMAQwAgAFAAbwBDACcAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA\"\n ],\n \"problemMatcher\": [],\n \"runOptions\": {\n \"runOn<\/span>\": \"folderOpen<\/span>\"\n },\n }\n ]\n}<\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png?ssl=1\")
<\/p>\n\nAdd-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('I am not malicious! }:->', 'ISC PoC') | Out-Null<\/pre>\n
\n[2] https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-vscode-extensions-with-millions-of-installs-discovered\/<\/a>
\n[3] https:\/\/redasgard.com\/blog\/hunting-lazarus-contagious-interview-c2-infrastructure<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n