Visual Studio Code Remote Tunnels: How Attackers Can Exploit Reverse Shells
Introduction:
“With Visual Studio Code becoming one of the most widely used development tools globally, new features like Remote Tunnels are making remote development easier than ever. However, while this feature is designed to provide seamless access to remote computers and servers, it also presents potential security risks. Specifically, attackers could exploit Visual Studio Code tunnels to establish a reverse shell, gaining full control of a system, as long as they have the right credentials.
In this article, we will break down how such an attack can be executed and what steps attackers might take to gain access to a victim’s machine. By exploring how the tunnel feature in Visual Studio Code can be used for malicious purposes, we’ll highlight the vulnerabilities that can be exploited by attackers. Additionally, we’ll discuss the security measures that can be implemented to protect against this threat.”
1. Creating the Tunnel (Step 1):
In the first image, you can see the code tunnel
command being executed on the victim's system via the Visual Studio Code terminal.
Once the command is run, Visual Studio Code prompts the victim to log in to GitHub by visiting https://github.com/login/device
and entering a unique code (in this case, 0DEF-1426
). This step is necessary to complete the tunnel creation, enabling remote access.
2. Opening the Tunnel on the Attacker’s Side (Step 2):
In the second image, we see the web interface of Visual Studio Code being accessed by the attacker after receiving the tunnel URL from the victim’s system.
Explanation: The attacker uses the tunnel URL provided by the victim’s system and attempts to access the remote system through Visual Studio Code. However, to proceed, the interface requires authentication using GitHub or a Microsoft Account.
3. GitHub Authentication Request (Step 3):
In the third image, the “Remote — Tunnels” extension of Visual Studio Code requests permission to sign in using GitHub.
Explanation: The application requests the attacker to authenticate via GitHub to verify their identity. This authentication is required for Visual Studio Code to confirm that the user is authorized to access the system through the tunnel. If different credentials from the ones used to create the tunnel are provided, access will be denied.
At this stage, attackers may need to use phishing techniques or other forms of social engineering to trick the victim into revealing their GitHub credentials. This is a critical part of the attack, as gaining the victim’s login information allows the attacker to authenticate and gain full access to the remote system. Without these credentials, the tunnel will remain inaccessible.
4. Executing the Reverse Shell (Step 4):
In this final step, we see how the reverse shell is executed from the victim’s system, allowing the attacker to gain full access. The PowerShell command shown in the terminal has been obfuscated and executed to establish a connection back to the attacker’s machine.
In this image, we are on the attacker’s side, where the attacker is using a tool called PsycheShell to generate the malicious payload. PsycheShell is a tool that helps create obfuscated PowerShell scripts for reverse shells. After executing the obfuscated PowerShell payload on the victim’s machine, it opens a remote connection back to the attacker’s IP (192.168.1.50
) on port 443
. This connection allows the attacker to run commands on the victim’s system, as demonstrated by listing the contents of the victim’s desktop.
To generate the reverse shell script, the attacker used PsycheShell, which is available on GitHub . This tool simplifies the process of creating obfuscated and encrypted PowerShell scripts, making it harder for the payload to be detected by security software. It can also bypass antivirus programs like Windows Defender, enabling the attacker to execute the payload without triggering security alerts.For a more in-depth look at PsycheShell and how it can be used to bypass Windows Defender, check out this article on Medium: “How to Bypass Windows Defender with Custom Reverse Shells Using PsycheShell” .
Conclusion:
The use of Visual Studio Code Remote Tunnels offers a convenient way for developers to access their systems remotely, but as we’ve seen, it can also be exploited by attackers with the right tools and knowledge. By utilizing a tool like PsycheShell, attackers can create obfuscated PowerShell payloads that bypass antivirus solutions like Windows Defender, establishing a reverse shell and gaining full control over the victim’s machine.
This scenario highlights the importance of strong security practices, such as multi-factor authentication (MFA), avoiding the reuse of credentials across platforms, and training users to recognize phishing and social engineering attacks. Organizations should also employ advanced security solutions that can detect and block obfuscated scripts and encrypted communications.
As attacks become more sophisticated, defenders must remain vigilant and proactive, ensuring that tools designed for convenience do not become vulnerabilities that attackers can easily exploit.