The China-linked superior persistent menace (APT) group often known as Mustang Panda has been noticed weaponizing Visible Studio Code software program as a part of espionage operations focusing on authorities entities in Southeast Asia.
“This threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman mentioned in a report, describing it as a “relatively new technique” that was first demonstrated in September 2023 by Truvis Thornton.
The marketing campaign is assessed to be a continuation of a beforehand documented assault exercise aimed toward an unnamed Southeast Asian authorities entity in late September 2023.
Mustang Panda, additionally identified by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Crimson Lich, has been operational since 2012, routinely conducting cyber espionage campaigns focusing on authorities and non secular entities throughout Europe and Asia, notably these positioned in South China Sea nations.
The newest noticed assault sequence is notable for its abuse of Visible Studio Code’s reverse shell to execute arbitrary code and ship further payloads.
“To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software,” Fakterman famous. “By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account.”
As soon as this step is full, the attacker is redirected to a Visible Studio Code internet setting that is linked to the contaminated machine, permitting them to run instructions or create new information.
It is value stating that the malicious use of this system was beforehand highlighted by Dutch cybersecurity agency mnemonic in reference to zero-day exploitation of a vulnerability in Test Level’s Community Safety gateway merchandise (CVE-2024-24919, CVSS rating: 8.6) earlier this 12 months.
Unit 42 mentioned the Mustang Panda actor leveraged the mechanism to ship malware, carry out reconnaissance, and exfiltrate delicate information. Moreover, the attacker is alleged to have used OpenSSH to execute instructions, switch information, and unfold throughout the community.
That is not all. A more in-depth evaluation of the contaminated setting has revealed a second cluster of exercise “occurring simultaneously and at times even on the same endpoints” that utilized the ShadowPad malware, a modular backdoor extensively shared by Chinese language espionage teams.
It is at present unclear if these two intrusion units are associated to 1 one other, or if two totally different teams are “piggybacking on each other’s access.”
“Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus),” Fakterman mentioned. “However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors.”
