Chinese APT Exploits VSCode to Target Asian Governments

MITRE Techniques

• [T1219] Remote Access Software – Abuse of Visual Studio Code’s embedded reverse shell feature. Quote: ‘Exploitation of Visual Studio Code’s embedded reverse shell feature.’
• [T1041] Data Exfiltration – Using Dropbox to exfiltrate sensitive data. Quote: ‘Using Dropbox to exfiltrate sensitive data.’
• [T1003] Credential Dumping – Utilizing Mimikatz and LaZagne for credential harvesting. Quote: ‘Utilizing Mimikatz and LaZagne for credential harvesting.’
• [T1021] Lateral Movement – Using PsExec and WMI for lateral movement across the network. Quote: ‘Using PsExec and WMI for lateral movement across the network.’
• [T1021.004] SSH – OpenSSH-based lateral movement. Quote: ‘OpenSSH allows the user to connect to a remote machine via SSH.’
• [T1560.001] Archive Collected Data – Archiving files for exfiltration (e.g., Listeners.bat). Quote: ‘Listeners.bat to archive files for exfiltration.’
• [T1055] Process Injection – ShadowPad spawns and injects code into wmplayer.exe, which in turn spawns and injects code into dllhost.exe. Quote: ‘ShadowPad spawns and injects code into wmplayer.exe, which in turn spawns and injects code into dllhost.exe.’
• [T1574.002] DLL Side-loading – imecmnt.exe loaded via DLL sideloading to load the ShadowPad module (imjp14k.dll). Quote: ‘abused the legitimate process imecmnt.exe via DLL sideloading to load the ShadowPad module (imjp14k.dll).’
• [T1047] Windows Management Instrumentation (WMI) – Used WMI to execute remote processes. Quote: ‘WMI to execute remote processes in the environment.’
• [T1110.005] Password Spraying – Tscan capabilities include scanning, password spraying and command execution. Quote: ‘Tscan’s capabilities include scanning, password spraying and command execution.’
• [T1046] Network Service Scanning – SharpNBTScan used to perform environment scanning. Quote: ‘SharpNBTScan (renamed as win1.exe) to perform scanning in the environment.’
• [T1003.003] NTDS.dit – NTDS.dit theft via Vssadmin and SYSTEM hive. Quote: ‘to steal Active Directory data, the attacker attempted to steal NTDS.dit as shown in Figure 12.’
• [T1543.003] Windows Service – Persistence via a service. Quote: ‘to keep ShadowPad running on victim machines, the attacker created persistence via a service.’
• [T1003.001] LSASS Memory Dump – Lsass-dump-main used to retrieve credentials from memory. Quote: ‘Lsass-dump-main to retrieve passwords in memory.’
• [T1021.002] SMB/Windows Admin Shares – PsExec used for lateral movement via SMB. Quote: ‘PsExec allows the execution of processes on remote systems.’
• [T1059] Command and Scripting Interpreter – Listeners.bat indicates batch file usage for command/script execution (embedded in the exfiltration workflow). Quote: ‘Listeners.bat to archive files for exfiltration’ (contextual reference).