Operation Digital Eye, a suspected China-nexus cyberespionage campaign, targeted business-to-business IT service providers in Southern Europe from late June to mid-July 2024. The attacks aimed to establish strategic footholds for further compromise of downstream entities. Threat actors abused Microsoft Visual Studio Code’s Remote Tunnels feature and Azure infrastructure for command and control (C2), leveraging trusted technologies to evade detection. Tools such as custom Mimikatz variants, SQL injection, and PHP-based webshells facilitated lateral movement, credential theft, and persistence.
The attackers initially gained access to targets through SQL injection vulnerabilities, leveraging the sqlmap tool to automate detection and exploitation on internet-facing web servers. Once inside, they deployed a custom PHP-based webshell known as PHPsert to maintain persistence. PHPsert’s design included obfuscation techniques, such as XOR encoding and localized filenames, to evade detection. The attackers strategically placed their infrastructure within Europe, using Microsoft Azure and M247 services to blend malicious activities with legitimate traffic, minimizing suspicion.
For lateral movement and credential theft, the threat actors relied on techniques such as RDP and pass-the-hash, facilitated by a modified version of Mimikatz called bK2o.exe. This tool allowed them to overwrite LSASS memory to exploit compromised NTLM hashes, bypassing the need for plaintext credentials. Additional tools, such as CreateDump, were used to extract LSASS memory and steal credentials, while commands like reg save enabled the exfiltration of data from the Security Account Manager (SAM) database. The attackers' systematic approach included naming their files with specific patterns (e.g., do.*) to disguise malicious activities within the network.
The abuse of Visual Studio Code was a pivotal aspect of this campaign. The threat actors exploited its Remote Tunnels feature to establish backdoor access, enabling full command execution and file manipulation. A modified Visual Studio Code executable (code.exe) was deployed as a persistent service using winsw configuration files. This allowed the attackers to maintain access through Microsoft Azure-based infrastructure, leveraging its trusted status to evade application controls and firewalls.