Threat Research

Operation Digital Eye: Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels

Cyware

Operation Digital Eye is a China‑nexus cyberespionage campaign that targeted B2B IT service providers in Southern Europe, using SQL injection to deploy a custom PHP webshell (PHPsert) and custom Mimikatz derivatives (mimCN) for credential theft and lateral movement. The actors abused Visual Studio Code Remote Tunnels and Microsoft Azure infrastructure for stealthy C2 and persistence. #OperationDigitalEye #PHPsert

Keypoints

  • Targets: Large business‑to‑business IT service providers in Southern Europe were targeted from late June to mid‑July 2024, giving adversaries potential strategic footholds across downstream customers.
  • Initial access: Attackers exploited SQL injection (automated with sqlmap) against internet‑facing web/database servers to deploy a PHP webshell tracked as PHPsert.
  • Persistence & C2: The campaign abused Visual Studio Code Remote Tunnels (code.exe) and Microsoft Azure infrastructure for command‑and‑control, and ran code.exe as a Windows service via winsw.
  • Credential theft & lateral movement: Custom Mimikatz modifications (mimCN family, e.g., bK2o.exe) enabled credential dumping and pass‑the‑hash attacks, with RDP and SSH used for lateral movement.
  • Obfuscation & evasion: Tools and webshell variants used multiple obfuscation techniques, custom filenames (do.*), and writable/less‑monitored directories (%SystemRoot%Temp and %ProgramData%Visual Studio Code) to reduce detection.
  • Infrastructure: Attack infrastructure resided in Europe (M247 and Microsoft Azure) including IPs 146.70.161[.]78, 185.76.78[.]117, 20.103.221[.]187, and 4.232.170[.]137 to blend with victim geography.
  • Attribution indicators: Shared tooling, Chinese‑language code comments, timestamp activity aligning with China Standard Time, and overlaps with prior campaigns (Tainted Love, Soft Cell) point to a China‑nexus cluster and a possible shared vendor/digital quartermaster (mimCN).

MITRE Techniques

  • [T1190] Exploit Public‑Facing Application – SQL injection was used for initial access with the sqlmap tool (“…the attackers used the sqlmap tool to automate the detection and exploitation of SQL injection vulnerabilities.”)
  • [T1505.003] Web Shell – PHPsert was deployed to maintain persistence and execute attacker PHP code (“…the webshell uses the assert function to execute attacker‑provided PHP code.”)
  • [T1543.003] Create or Modify System Process: Windows Service – Attackers installed winsw to run code.exe as a “Visual Studio Code Service” at startup (“…used the winsw tool to run it as a Windows service… executes code.exe with the tunnel command‑line parameter at every system startup.”)
  • [T1027] Obfuscated Files or Information – PHPsert and binaries used XOR encoding, hex encoding, string concatenation, randomized variable names, and dynamic stack string construction (“…uses various code obfuscation techniques, including XOR encoding, hexadecimal character representation, string concatenation, and randomized variable names.”)
  • [T1003] OS Credential Dumping – Tools such as CreateDump and custom mimCN binaries extracted LSASS memory and SAM data to retrieve credentials (“…used the CreateDump tool to extract memory allocated to the LSASS process and exfiltrate credentials.”)
  • [T1550.002] Pass the Hash – Custom Mimikatz modification bK2o.exe implemented pass‑the‑hash by overwriting LSASS memory and injecting NTLM hashes (“…bK2o.exe implements a pass‑the‑hash technique by overwriting LSASS memory…”)
  • [T1021.001] Remote Services: RDP – Lateral movement used RDP connections across the internal network (“…moved laterally across the internal network, primarily using RDP connections…”)
  • [T1021.004] Remote Services: SSH – SSH was used for remote command execution after deploying authorized_keys for authentication (“…remote command execution: SSH access, enabled by deploying authorized_keys files containing public keys for authentication…”)
  • [T1071.001] Application Layer Protocol: Web Protocols – Visual Studio Code Remote Tunnels and devtunnels.ms domains were used as an application‑layer C2 channel (“…creation of dev tunnels involved establishing connections to the server with the domain [REDACTED].euw.devtunnels.ms which resolved to the IP address 20.103.221[.]187.”)
  • [T1078] Valid Accounts – Actors authenticated to Visual Studio Code tunnels using GitHub or Microsoft accounts to access endpoints (“…authenticated using GitHub accounts and accessed the compromised endpoints through the browser‑based version of Visual Studio Code.”)

Indicators of Compromise

  • [SHA1 Hashes] Samples and tools – 0be9dd709d7d68887a92c793881dd4a010796e95 (CreateDump/do.exe), 7941909fd5c1277c6f7baf21e484c9e59ea454ee (mimCN bK2o.exe), and 18 more hashes
  • [IP Addresses] Malicious infrastructure – 146.70.161[.]78 (server used for initial SQLi access), 185.76.78[.]117 (PHPsert webshell C2), 20.103.221[.]187 (devtunnels.ms Visual Studio Code tunnel), 4.232.170[.]137 (SSH C2 on Azure)
  • [Domains] Dev tunnel domain – [REDACTED].euw.devtunnels[.]ms resolved to 20.103.221[.]187 (Visual Studio Code dev tunnel)
  • [File names / binaries] Deployed tools – code.exe (portable Visual Studio Code), bK2o.exe (custom Mimikatz pass‑the‑hash), do.exe / do.bat (CreateDump and helper scripts), PHP files named with local language/context implementing PHPsert

Read more: https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels